Automated Malware Analysis Report for FL2000-2.1

ID: 180101 Sample Name: FL2000- 2.1.33676.0.exe Cookbook: default.jbs Time: 23:53:31 Date: 01/10/2019 Version: 27.0.0 Red Agate Table of Contents

Table of Contents 2 Analysis Report FL2000-2.1.33676.0.exe 5 Overview 5 General Information 5 Detection 6 Confidence 6 Classification 6 Analysis Advice 7 Mitre Att&ck Matrix 7 Signature Overview 8 Spreading: 8 Networking: 8 E-Banking Fraud: 9 System Summary: 9 Data Obfuscation: 9 Persistence and Installation Behavior: 10 Boot Survival: 10 Hooking and other Techniques for Hiding and Protection: 10 Malware Analysis System Evasion: 10 Anti Debugging: 10 HIPS / PFW / Operating System Protection Evasion: 10 Language, Device and Operating System Detection: 11 Behavior Graph 11 Simulations 11 Behavior and APIs 11 Antivirus, Machine Learning and Genetic Malware Detection 12 Initial Sample 12 Dropped Files 12 Unpacked PE Files 12 Domains 12 URLs 12 Yara Overview 12 Initial Sample 12 PCAP (Network Traffic) 12 Dropped Files 13 Memory Dumps 13 Unpacked PEs 13 Joe Sandbox View / Context 13 IPs 13 Domains 13 ASN 13 JA3 Fingerprints 14 Dropped Files 14 Screenshots 14 Thumbnails 14 Startup 15 Created / dropped Files 16 Domains and IPs 24 Contacted Domains 24 Contacted URLs 24 URLs from Memory and Binaries 24 Contacted IPs 26 Public 26 Static File Info 26 General 26 File Icon 27 Static PE Info 27 General 27 Authenticode Signature 27 Copyright Joe Security LLC 2019 Page 2 of 51 Entrypoint Preview 28 Rich Headers 29 Data Directories 29 Sections 29 Resources 29 Imports 30 Version Infos 30 Possible Origin 30 Network Behavior 31 Network Port Distribution 31 TCP Packets 31 UDP Packets 33 DNS Queries 33 DNS Answers 33 HTTP Request Dependency Graph 33 HTTP Packets 33 Code Manipulations 34 Statistics 34 Behavior 34 System Behavior 34 Analysis Process: FL2000-2.1.33676.0.exe PID: 4196 Parent PID: 4092 35 General 35 File Activities 35 File Created 35 File Deleted 36 File Moved 36 File Written 36 File Read 38 Analysis Process: FL2000-2.1.33676.0.exe PID: 948 Parent PID: 4092 38 General 38 File Activities 38 File Read 38 Analysis Process: FL2000-2.1.33676.0.exe PID: 4292 Parent PID: 4092 39 General 39 File Activities 39 File Read 39 Analysis Process: FL2000-2.1.34054.0.exe PID: 5036 Parent PID: 4196 39 General 39 File Activities 39 File Created 39 File Deleted 41 File Written 41 File Read 44 Registry Activities 44 Key Created 44 Key Value Created 45 Analysis Process: msiexec.exe PID: 4272 Parent PID: 5036 45 General 45 File Activities 45 Registry Activities 45 Analysis Process: msiexec.exe PID: 1492 Parent PID: 4536 45 General 45 Analysis Process: msiexec.exe PID: 3616 Parent PID: 4536 46 General 46 Analysis Process: msiexec.exe PID: 4148 Parent PID: 4536 46 General 46 Analysis Process: msiexec.exe PID: 5108 Parent PID: 4536 46 General 46 Analysis Process: drvinst.exe PID: 3532 Parent PID: 700 46 General 46 Analysis Process: drvinst.exe PID: 716 Parent PID: 700 47 General 47 Analysis Process: drvinst.exe PID: 4888 Parent PID: 700 47 General 47 Analysis Process: cmd.exe PID: 2564 Parent PID: 4536 47 General 47 Analysis Process: conhost.exe PID: 4420 Parent PID: 2564 48 General 48 Analysis Process: xcopy.exe PID: 2736 Parent PID: 2564 48 General 48

Copyright Joe Security LLC 2019 Page 3 of 51 Analysis Process: cmd.exe PID: 5056 Parent PID: 2564 48 General 48 Analysis Process: powershell.exe PID: 4800 Parent PID: 5056 48 General 48 Analysis Process: cmd.exe PID: 2444 Parent PID: 2564 49 General 49 Analysis Process: powershell.exe PID: 4056 Parent PID: 2444 49 General 49 Analysis Process: flvga_tray.exe PID: 4028 Parent PID: 3040 49 General 49 Analysis Process: sc.exe PID: 4824 Parent PID: 2564 49 General 49 Analysis Process: sc.exe PID: 4844 Parent PID: 2564 50 General 50 Analysis Process: flvga_tray.exe PID: 4796 Parent PID: 2564 50 General 50 Analysis Process: flvga_tray.exe PID: 2472 Parent PID: 3040 50 General 50 Disassembly 51 Code Analysis 51

Overview

General Information

Joe Sandbox Version: 27.0.0 Red Agate Analysis ID: 180101 Start date: 01.10.2019 Start time: 23:53:31 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 10m 57s Hypervisor based Inspection enabled: false Report type: light Sample file name: FL2000-2.1.33676.0.exe Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Run name: Cmdline fuzzy Number of analysed new started processes analysed: 30 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis stop reason: Timeout Detection: SUS Classification: sus36.evad.winEXE@34/35@1/1 EGA Information: Successful, ratio: 71.4% HDC Information: Successful, ratio: 93.3% (good quality ratio 87.2%) Quality average: 74.8% Quality standard deviation: 29.9% HCA Information: Failed Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .exe

Copyright Joe Security LLC 2019 Page 5 of 51 Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, CompatTelRunner.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 52.156.204.185, 172.217.23.196, 8.241.9.254, 8.248.127.254, 67.26.137.254, 8.253.204.120, 8.248.141.254, 67.26.111.254, 67.27.233.126, 8.253.95.249, 8.253.207.120, 8.253.204.249, 8.253.207.121, 8.248.113.254, 93.184.221.240, 205.185.216.42, 205.185.216.10, 67.26.83.254, 67.27.158.126 Excluded domains from analysis (whitelisted): wu.ec.azureedge.net, settings- win.data.microsoft.com, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, wu.azureedge.net, settingsfd-geo.trafficmanager.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, au.download.windowsupdate.com.hwcdn.net, hlb.apr-52dd2-0.edgecastdns.net, www.google.com, auto.au.download.windowsupdate.com.c.footprint.n et, wu.wpc.apr-52dd2.edgecastdns.net Execution Graph export aborted for target FL2000- 2.1.33676.0.exe, PID 948 because there are no executed function Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Detection

Strategy Score Range Reporting Whitelisted Detection

Threshold 36 0 - 100 false

Confidence

Strategy Score Range Further Analysis Required? Confidence

Threshold 0 0 - 5 true

Classification

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Mitre Att&ck Matrix

Privilege Credential Lateral Command Initial Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Replication Execution Modify Existing Exploitation for Deobfuscate/Decode Credential System Time Remote File Data from Data Remote File Through through API 1 Service 1 Privilege Files or Dumping Discovery 1 Copy 2 Local System Encrypted 1 Copy 2 Removable Escalation 1 Information 1 Media 1

Copyright Joe Security LLC 2019 Page 7 of 51 Privilege Credential Lateral Command Initial Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Replication Command-Line Port Monitors Access Token File Deletion 1 Network Peripheral Replication Data from Exfiltration Standard Through Interface 1 Manipulation 1 Sniffing Device Through Removable Over Other Cryptographic Removable Discovery 2 1 Removable Media Network Protocol 1 Media Media 1 Medium Drive-by Windows Accessibility Process Obfuscated Files or Input Capture Security Windows Data from Automated Standard Non- Compromise Management Features Injection 1 1 Information 2 Software Remote Network Exfiltration Application Instrumentation Discovery 4 1 Management Shared Drive Layer Protocol 2 Exploit Public- Scheduled Task System DLL Search Masquerading 4 Credentials in File and Logon Scripts Input Capture Data Standard Facing Firmware Order Hijacking Files Directory Encrypted Application Application Discovery 3 Layer Protocol 2 Spearphishing Command-Line Shortcut File System Access Token Account System Shared Data Staged Scheduled Standard Link Interface Modification Permissions Manipulation 1 Manipulation Information Webroot Transfer Cryptographic Weakness Discovery 5 4 Protocol Spearphishing Graphical User Modify Existing New Service Process Brute Force Query Third-party Screen Data Transfer Commonly Attachment Interface Service Injection 1 1 Registry 1 Software Capture Size Limits Used Port Spearphishing Scripting Path Scheduled Task DLL Side- Two-Factor Process Pass the Hash Email Exfiltration Uncommonly via Service Interception Loading 1 Authentication Discovery 3 Collection Over Used Port Interception Command and Control Channel Supply Chain Third-party Logon Scripts Process Indicator Blocking Bash History Application Remote Clipboard Data Exfiltration Standard Compromise Software Injection Window Desktop Over Application Discovery 1 Protocol Alternative Layer Protocol Protocol Trusted Rundll32 DLL Search Service Process Injection Input Prompt Remote System Windows Automated Exfiltration Multilayer Relationship Order Hijacking Registry Discovery 1 Admin Shares Collection Over Physical Encryption Permissions Medium Weakness

Signature Overview

• Spreading • Networking • E-Banking Fraud • System Summary • Data Obfuscation • Persistence and Installation Behavior • Boot Survival • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection

Click to jump to signature section

Spreading:

Checks for available system drives (often done to infect USB drives)

Contains functionality to get notified if a device is plugged in / out

Contains functionality to enumerate / list files inside a directory

Contains functionality to query local drives

Networking:

Contains functionality to download additional files from the internet

Downloads files from webservers via HTTP

Found strings which match to known social media urls

Performs DNS lookups

Urls found in memory or binary data

Drops certificate files (DER)

System Summary:

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Creates files inside the driver directory

Creates files inside the system directory

Creates mutexes

Deletes files inside the Windows folder

Detected potential crypto function

Enables security privileges

Found potential string decryption / allocating functions

PE file contains executable resources (Code or Archives)

PE file contains strange resources

Reads the hosts file

Sample file is different than original file name gathered from version info

Sample reads its own file content

Tries to load missing DLLs

Classification label

Contains functionality for error logging

Contains functionality to adjust token privileges (e.g. debug / backup)

Contains functionality to check free disk space

Contains functionality to enum processes or threads

Contains functionality to load and extract PE file embedded resources

Creates files inside the user directory

Creates temporary files

Might use command line arguments

PE file has an executable .text section and no other executable section

Parts of this applications are using the .NET runtime (Probably coded in C#)

Reads ini files

Reads software policies

Sample might require command line arguments

Spawns processes

Uses an in-process (OLE) Automation server

Found GUI installer (many successful clicks)

Found graphical window changes (likely an installer)

Uses Microsoft Silverlight

Creates a software uninstall entry

PE file has a valid certificate

Submission file is bigger than most known malware samples

PE file contains a mix of data directories often seen in goodware

Contains modern PE file flags such as dynamic base (ASLR) or NX

PE file contains a debug data directory

Binary contains paths to debug symbols

PE file contains a valid data directory to section mapping

Data Obfuscation:

Contains functionality to dynamically determine API calls

PE file contains an invalid checksum

Uses code obfuscation techniques (call, push, ret)

Drops executables to the windows directory (C:\Windows) and starts them

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Boot Survival:

Uses sc.exe to modify the status of services

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Malware Analysis System Evasion:

Found evasive API chain (may stop execution after checking mutex)

Checks the free space of harddrives

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to read device registry values (via SetupAPI)

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain (may stop execution after checking a module file name)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to enumerate / list files inside a directory

Contains functionality to query local drives

Contains functionality to query system information

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Program exit points

Queries a list of all running processes

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Enables debug privileges

Contains functionality to register its own exception handler

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to launch a program with higher privileges

Creates a process in suspended mode (likely to inject code)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Contains functionality to create a new security descriptor

May try to detect the Windows Explorer process (often used for injection)

Contains functionality locales information (e.g. system language)

Contains functionality to query CPU information (cpuid)

Queries device information via Setup API

Queries the volume information (name, serial number etc) of a device

Contains functionality to create pipes for IPC

Contains functionality to query local / system time

Contains functionality to query windows version

Queries the cryptographic machine GUID

Behavior Graph

Hide Legend Legend: Process Signature

Behavior Graph Created File ID: 180101

Sample: FL2000-2.1.33676.0.exe Startdate: 01/10/2019 DNS/IP Info Architecture: WINDOWS Score: 36 Is Dropped

Found evasive API chain (may stop execution started started started Is Windows Process after checking mutex) Number of created Registry Values

cmd.exe FL2000-2.1.33676.0.exe msiexec.exe Numb10 oetherr p rocefss ecs reated Files 23 Visual Basic

s3-us-west-2-w.amazonaws.com

54.231.177.2, 49707, 80 updates.frescologic.com.s3.amazonaws.com updates.frescologic.com dropped dropped Delphi dropped dropped unknown United States Java

started started started C:\Users\user\...\FL2000-2.1.34054.0.exe.part, PE32 started C:\Program Files\DIFX\...\DIFxAppA.dll, PE32+ .CN:\Winedowts \SCyste#m3 2o\...\SrE TV65DB3.tm.p,N PE3E2 T C:\Windows\System32\...\SET5364.tmp, PE32+

Drops executables to C, C++ or other language the windows directory (C:\Windows) and starts them Is malicious

flvga_tray.exe xcopy.exe cmd.exe FL2000-2.1.34054.0.exe Internet 4 other processes

1 22

dropped dropped

C:\Windows\System32\flvga_tray.exe, PE32+ C:\Users\user\AppData\Local\...\shiFE2F.tmp, PE32+

started started started

Found evasive API chain (may stop execution after checking mutex)

powershell.exe powershell.exe msiexec.exe

dropped dropped dropped dropped

C:\Users\user\AppData\Local\Temp\MSIB90.tmp, PE32 C:\Users\user\AppData\Local\Temp\MSIB31.tmp, PE32 C:\Users\user\AppData\Local\Temp\MSIB02.tmp, PE32 C:\Users\user\AppData\Local\Temp\MSI999.tmp, PE32

Simulations

Behavior and APIs

Time Type Description 23:55:30 Autostart Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run flvga_tray32 C:\Program Files\Fresco Logic\Fresco Logic USB Display Driver\FL2000\x86\flvga_tray.exe i 23:55:39 Autostart Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run flvga_tray C:\Program Files\Fresco Logic\Fresco Logic USB Display Driver\FL2000\x64\flvga_tray.exe i

Initial Sample

Source Detection Scanner Label Link FL2000-2.1.33676.0.exe 1% Virustotal Browse FL2000-2.1.33676.0.exe 3% Metadefender Browse

Dropped Files

Source Detection Scanner Label Link C:\Program Files\DIFX\ED00A7CB25A64AAB\DIFxAppA.dll 0% Virustotal Browse C:\Program Files\DIFX\ED00A7CB25A64AAB\DIFxAppA.dll 0% Metadefender Browse C:\Users\user\AppData\Local\Temp\MSI999.tmp 0% Virustotal Browse C:\Users\user\AppData\Local\Temp\MSI999.tmp 0% Metadefender Browse C:\Users\user\AppData\Local\Temp\MSIB02.tmp 0% Virustotal Browse C:\Users\user\AppData\Local\Temp\MSIB02.tmp 0% Metadefender Browse C:\Users\user\AppData\Local\Temp\MSIB31.tmp 0% Virustotal Browse C:\Users\user\AppData\Local\Temp\MSIB31.tmp 0% Metadefender Browse C:\Users\user\AppData\Local\Temp\MSIB90.tmp 0% Virustotal Browse C:\Users\user\AppData\Local\Temp\MSIB90.tmp 0% Metadefender Browse C:\Users\user\AppData\Local\Temp\shiFE2F.tmp 0% Virustotal Browse C:\Users\user\AppData\Local\Temp\shiFE2F.tmp 0% Metadefender Browse C:\Users\user\Downloads\FL2000-2.1.34054.0.exe.part 1% Virustotal Browse C:\Users\user\Downloads\FL2000-2.1.34054.0.exe.part NaN% Metadefender Browse C:\Windows\System32\flvga_tray.exe 0% Virustotal Browse C:\Windows\System32\flvga_tray.exe 0% Metadefender Browse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source Detection Scanner Label Link https://www.google.co.uk/intl/en/about/products?tab=wh 0% Virustotal Browse https://www.google.co.uk/intl/en/about/products?tab=wh 0% Avira URL Cloud safe www.google.co.uk/imghp?hl=en&tab=wi 0% Virustotal Browse www.google.co.uk/imghp?hl=en&tab=wi 0% Avira URL Cloud safe ocsp.thawte.com0 0% Avira URL Cloud safe ocsp.thawte.com0 0% Google Safe safe Browsing www.advancedinstaller.com0 0% Avira URL Cloud safe www.google.co.uk/history/optout?hl=en 0% Virustotal Browse www.google.co.uk/history/optout?hl=en 0% Avira URL Cloud safe maps.google.co.uk/maps?hl=en&tab=wl 0% Virustotal Browse maps.google.co.uk/maps?hl=en&tab=wl 0% Avira URL Cloud safe news.google.co.uk/nwshp?hl=en&tab=wn 0% Virustotal Browse news.google.co.uk/nwshp?hl=en&tab=wn 0% Avira URL Cloud safe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches Copyright Joe Security LLC 2019 Page 12 of 51 Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

Match Associated Sample Name / URL SHA 256 Detection Link Context s3-us-west-2-w.amazonaws.com https://www.evernote.com/shard/s316/sh/d00a8d84- Get hash malicious Browse 54.231.185.70 5e50-4c48-8558- e449328e231c/e79738f18e1188b9529e06a95a5c87e8 Get hash malicious Browse 54.231.169.30 tracking.onlinebesteducation.com/campaigns/gg5264rz9sa20/t rack- url/kx3049341c95c/ae3b8194d0ab224de956b50a0999362ac5e f5ba8

ASN

Match Associated Sample Name / URL SHA 256 Detection Link Context unknown Receipt#81058369422287255138661.vbs Get hash malicious Browse 217.48.25.112 https://nam01.safelinks.protection.outlook.com/? Get hash malicious Browse 217.174.15 url=https%3A%2F%2Fhimiloconstruction.com%2Fllg%2FZS% 2.200 3Femzo%3Dlyn%26lin%3Deportacio%40stanfordhealthcare.or g&data=01%7C01%7Ceportacio%40stanfordhealthcare.org%7 C19a2b358c55f4fe9e0b708d74695ed3f%7C9866b506dc9d48d db7203a50db77a1cc%7C0&sdata=8SwjMiACaC8XFSvtOk2% 2BOWzclRmDGEPC2LRyiSsLW%2Bc%3D&reserved=0 Get hash malicious Browse 92.123.10.60 https://cdn1.evernote.com/win6/public/Evernote_6.21.2.8716.e xe Get hash malicious Browse 92.123.10.60 https://cdn1.evernote.com/win6/public/Evernote_6.21.2.8716.e xe docu-signen.dynu.net/ Get hash malicious Browse 23.54.112.111 sync.madnet.ru Get hash malicious Browse 78.140.184.98 IMG001.exe Get hash malicious Browse 37.1.216.8 information.vbe Get hash malicious Browse 91.235.116.58 https://galvaomoura.com.br/llg/ZS? Get hash malicious Browse 162.241.53.43 [email protected] vogueknitting.com Get hash malicious Browse 205.185.208.52 Get hash malicious Browse 148.62.79.96 www.dbrsupportportal.dellbackupandrecovery.com/service/sp update.svc https://docs.google.com/uc? Get hash malicious Browse 172.217.22.193 id=118XPglUA65Wbjlw77zdn8xXsLZn6b1D0 https://publicisteastafrica.com/wp- Get hash malicious Browse 158.85.53.149 content/uploads/2019/09/file/ord_21.zip https://docs.google.com/uc? Get hash malicious Browse 172.217.22.193 id=1hQ8OD4F0bVQsiZLCUImS8f2OHWHJChaS W-9.pdf Get hash malicious Browse 3.3.0.2

Copyright Joe Security LLC 2019 Page 13 of 51 Match Associated Sample Name / URL SHA 256 Detection Link Context https://nam02.safelinks.protection.outlook.com/? Get hash malicious Browse 138.201.10 url=https%3A%2F%2Faegypten- 7.250 hurghada.com%2Fvs%2FZS%3Femzo%3Dlyn%26lin%3Dros alee.bard%40benefitmall.com&data=02%7C01%7CServiceDe sk%40benefitmall.com%7Cbb26a7e29c3947e4439208d7468f9 928%7Cd5254c64bea1491da6a09719464ce9db%7C0%7C0% 7C637055454872469199&sdata=m2%2FQvq%2BrVkWiSTn8 pVFuy5tpOjTfEytQXiNGz6%2B7Whw%3D&reserved=0 https://cutt.us/LR5Pu Get hash malicious Browse 78.135.65.25 https://docs.google.com/uc? Get hash malicious Browse 172.217.22.193 id=118XPglUA65Wbjlw77zdn8xXsLZn6b1D0 Get hash malicious Browse 104.192.108.19 104.192.108.19/softdl.360tpcdn.com/softadd/softadd_list_1.0. 0.1010.cab Shutdown, Turnaround Maitenance & Insepction Forum Get hash malicious Browse 3.3.0.2 2020.pdf

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Copyright Joe Security LLC 2019 Page 15 of 51 System is w10x64 FL2000-2.1.33676.0.exe (PID: 4196 cmdline: 'C:\Users\user\Desktop\FL2000-2.1.33676.0.exe' -install MD5: 18D9DA8E28B2704AAA5BBA34CBDFC8F8) FL2000-2.1.34054.0.exe (PID: 5036 cmdline: 'C:\Users\user\Downloads\FL2000-2.1.34054.0.exe' /exenoupdates MD5: 18B0139CA76E7447BC64F9A812F4A9F2) msiexec.exe (PID: 4272 cmdline: /i 'C:\Users\user\AppData\Roaming\Fresco Logic\Fresco Logic USB Display Driver 2.1.34054.0\install\FL2000.x64.msi' AI_S ETUPEXEPATH='C:\Users\user\Downloads\FL2000-2.1.34054.0.exe' SETUPEXEDIR='C:\Users\user\Downloads\' EXE_CMD_LINE='/exenoupdates /exelang 0 /noprereqs ' MD5: 4767B71A318E201188A0D0A420C8B608) FL2000-2.1.33676.0.exe (PID: 948 cmdline: 'C:\Users\user\Desktop\FL2000-2.1.33676.0.exe' /install MD5: 18D9DA8E28B2704AAA5BBA34CBDFC8F8) FL2000-2.1.33676.0.exe (PID: 4292 cmdline: 'C:\Users\user\Desktop\FL2000-2.1.33676.0.exe' /load MD5: 18D9DA8E28B2704AAA5BBA34CBDFC8F8) msiexec.exe (PID: 1492 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 5B7212B2A0E72EFBDFF572D491F96252 C MD5: 12C17B5A5C2A7B97342C362CA467E9A2) msiexec.exe (PID: 3616 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding B8142CC01163E4DA639627860F1CF8BB MD5: 12C17B5A5C2A7B97342C362CA467E9A2) msiexec.exe (PID: 4148 cmdline: C:\Windows\System32\MsiExec.exe -Embedding 94BE93BE77F29D2C2C3BCA280B9A42CC MD5: 4767B71A318E201188A0D0A420C8B608) msiexec.exe (PID: 5108 cmdline: C:\Windows\System32\MsiExec.exe -Embedding F8B4CEBEEC0818AC96CAA2C8B26978A1 E Global\MSI0000 MD5: 4767B71A318E201188A0D0A420C8B608) drvinst.exe (PID: 3532 cmdline: DrvInst.exe '4' '1' 'C:\Program Files\Fresco Logic\Fresco Logic USB Display Driver\FL2000\FL2000.inf' '9' '40101c057' '0000000000000A54' 'Wi nSta0\Default' '0000000000000CF8' '208' 'C:\Program Files\Fresco Logic\Fresco Logic USB Display Driver\FL2000' MD5: 46F5A16FA391AB6EA97C602B4D2E7819) drvinst.exe (PID: 716 cmdline: DrvInst.exe '4' '1' 'C:\Program Files\Fresco Logic\Fresco Logic USB Display Driver\lci_proxykmd\lci_proxykmd.inf' '9' '4d9ccbb2f' '000000000 0000C28' 'WinSta0\Default' '0000000000000CF4' '208' 'C:\Program Files\Fresco Logic\Fresco Logic USB Display Driver\lci_proxykmd' MD5: 46F5A16FA391AB6EA97C602B4D2E7819) drvinst.exe (PID: 4888 cmdline: DrvInst.exe '4' '1' 'C:\Program Files\Fresco Logic\Fresco Logic USB Display Driver\fresco_iddcx\fresco_iddcx.inf' '9' '4d7097e0f' '000000000 0000CF4' 'WinSta0\Default' '0000000000000CCC' '208' 'C:\Program Files\Fresco Logic\Fresco Logic USB Display Driver\fresco_iddcx' MD5: 46F5A16FA391AB6EA97C602B4D2E7819) cmd.exe (PID: 2564 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Program Files\Fresco Logic\Fresco Logic USB Display Driver\post_install.cmd'' MD5: 4E2ACF4F8A396486AB4268C94A6A245F) conhost.exe (PID: 4420 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) xcopy.exe (PID: 2736 cmdline: xcopy /y /q .\fl2000\x64\flvga_tray.exe C:\Windows\System32\ MD5: 6BC7DB1465BEB7607CBCBD7F64007219) cmd.exe (PID: 5056 cmdline: C:\Windows\system32\cmd.exe /c powershell [environment]::OsVersion.Version.Major MD5: 4E2ACF4F8A396486AB4268C94A6A245F) powershell.exe (PID: 4800 cmdline: powershell [environment]::OsVersion.Version.Major MD5: 95000560239032BC68B4C2FDFCDEF913) cmd.exe (PID: 2444 cmdline: C:\Windows\system32\cmd.exe /c powershell [environment]::OsVersion.Version.Build MD5: 4E2ACF4F8A396486AB4268C94A6A245F) powershell.exe (PID: 4056 cmdline: powershell [environment]::OsVersion.Version.Build MD5: 95000560239032BC68B4C2FDFCDEF913) sc.exe (PID: 4824 cmdline: sc delete flxhciv MD5: D79784553A9410D15E04766AAAB77CD6) sc.exe (PID: 4844 cmdline: sc query ddmgr MD5: D79784553A9410D15E04766AAAB77CD6) flvga_tray.exe (PID: 4796 cmdline: C:\Windows\System32\flvga_tray.exe i MD5: 7B16174FF4C023F4A9DE26D7A6F678F8) flvga_tray.exe (PID: 4028 cmdline: 'C:\Program Files\Fresco Logic\Fresco Logic USB Display Driver\FL2000\x86\flvga_tray.exe' i MD5: 4D9DE5366E2CB20A68BAEDA9C4A8D05E) flvga_tray.exe (PID: 2472 cmdline: 'C:\Program Files\Fresco Logic\Fresco Logic USB Display Driver\FL2000\x64\flvga_tray.exe' i MD5: 7B16174FF4C023F4A9DE26D7A6F678F8) cleanup

Created / dropped Files

C:\Program Files\DIFX\ED00A7CB25A64AAB\DIFxAppA.dll

Process: C:\Windows\System32\msiexec.exe File Type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows Size (bytes): 723000 Entropy (8bit): 5.964446343990589 Encrypted: false MD5: 89596BCC6B7ADD0A805C9F7A2EC120DE SHA1: E576A07E09DF2BD69773334189C431B2369D1F93 SHA-256: EB2AAF64E9F74EE1C1D687777BDFE9911989059D04E980685C9350153B6BC677 SHA-512: 0E72E53BA512F10AF5B75F2651D5D481D455A2D67B412A4FC7A2A3C2EF086953322F54B3BA0F9D3F3E27B964F6A75C16087F98D721342F719E217BB39F0D780D Malicious: false Antivirus: Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... Rich...... PE..d...Vj.H...... " ...... F...... @...... u....@...... 0...... L...... @...... 8(...... 0...... text...... `.data...X...... @....pdata..@...... @[email protected]...... N...... @[email protected]...... @..B......

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: data Size (bytes): 64 Entropy (8bit): 0.34726597513537405 Encrypted: false MD5: 446DD1CF97EABA21CF14D03AEBC79F27 SHA1: 36E4CC7367E0C7B40F4A8ACE272941EA46373799 SHA-256: A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF SHA-512: A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7 Malicious: false Preview: @...e......

Process: C:\Windows\System32\msiexec.exe File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Size (bytes): 97280 Entropy (8bit): 6.3781622546125885 Encrypted: false MD5: 3056644ACE6294C801A8010E99888525 SHA1: BBB622450269B1918E9FE11ED32DEECF65E7E0E2 SHA-256: 77ABFF1B7322ECA3DD35CBADF268D06C9EF920CF923EE3A77E97EDD050C28A1B SHA-512: 853E263E4A921B332CF573B8271759CFF5CEC569B08AF78ED8F022D76567868A66455C12FAB728A96BABEBD3859FC1ED2C8507E7233B45B2811542E2D38E1C3A Malicious: false Antivirus: Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... w..q3.."3.."3..":.H"2..":.X"*.."3.."..."...#..."...#2.."..4"2.."3.\"2.." ...#2.."Rich3.."...... PE..L...=..W...... !...... @...... 6..l...d?...... `..0...... J...2...p...... 06..p...... text...... `.rdata..$l...... n...... @[email protected]...`....P...... 4...... @....rsrc...0....`...... 6...... @[email protected]...... p...... <...... @. .B......

C:\Users\user\AppData\Local\Temp\MSIB02.tmp

C:\Users\user\AppData\Local\Temp\MSIB31.tmp

C:\Users\user\AppData\Local\Temp\MSIB90.tmp

Antivirus: Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... w..q3.."3.."3..":.H"2..":.X"*.."3.."..."...#..."...#2.."..4"2.."3.\"2.." ...#2.."Rich3.."...... PE..L...=..W...... !...... @...... 6..l...d?...... `..0...... J...2...p...... 06..p...... text...... `.rdata..$l...... n...... @[email protected]...`....P...... 4...... @....rsrc...0....`...... 6...... @[email protected]...... p...... <...... @. .B......

C:\Users\user\AppData\Local\Temp\MSIe038e.LOG Process: C:\Windows\System32\msiexec.exe File Type: data Size (bytes): 144514 Entropy (8bit): 3.8029845262198267 Encrypted: false MD5: 06DE7889072019EB2BCDA2433A50E04E SHA1: 64DE28EDE61BF918594666903D576AC4D7454E55 SHA-256: 1EA1E3CBD26D387DF9860C3B287B4532233C452A70830A10922330BDDB944B0C SHA-512: 4F72E34F981D95F8779F05C080B594D7BAF97FBB2F263FA468E18F3177E95AB5A296C68F2FD3CA7C53DABB4D6100E734DDD94D64CD3D821FE58782A5AFE0A68 A Malicious: false Preview: ..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .1.0./.1./.2.0.1.9. . .2.3.:.5.4.:.5.4. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p. r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.m.s.i.e.x.e.c...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.B.0.:.0.0.). .[.2.3.:.5.4.:.5.4.:.9.1.7.].:. .F.o.n.t. .c.r.e.a.t.e.d... . .C.h.a.r.s.e.t.:. .R.e.q.=.0.,. .R.e.t.=.0.,. .F.o.n.t.:. .R.e.q.=.M.S. .S.h.e.l.l. .D.l.g.,. .R.e.t.=.M.S. .S.h.e.l.l. .D.l.g...... M.S.I. .(.c.). .(.B.0.:.0.0.). .[.2.3.:.5.4.:.5.4.:.9.1.7.].:. .F.o.n.t. .c.r.e.a.t.e.d... . .C.h.a.r.s.e.t.:. .R.e.q.=.0.,. .R.e.t.=.0.,. .F.o.n.t.:. .R.e.q.=.M.S. .S.h.e.l.l. .D.l.g.,. .R.e.t.=.M.S. .S.h.e.l.l. .D.l.g...... M.S.I. .(.c.). .(.B.0.:.5.4.). .[.2.3.:.5.4.:.5.5.:.0.1.3.].:. .R.e. s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.B.0.:.5.4.). .[.2.3.:.5.4.:.5.5.:.0.1.3.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2pndkqt0.fij.ps1 Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: ASCII text, with no line terminators Size (bytes): 81 Entropy (8bit): 4.5224146534885525 Encrypted: false MD5: FC6CFCFDEA398EDB016A1672934AC7BE SHA1: 31CBA7B9A47DF05281652B9ABAD12BB0CCC345CF SHA-256: 06B7863D28E394D264974D3594A6A13416D21838215DF57D2A70B90922073C91 SHA-512: 2BB106A0E3C552A067ECB00AFE3588D604B2ACB8CF06D8307EF908150484478EFBFF765CA9BF0BE2B52B6F19AD38E1A03D2B36E28525FA21BC743D31E74F587 1 Malicious: false Preview: # PowerShell test file to determine AppLocker lockdown mode 10/1/2019 11:55:29 PM

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4byq2cwp.max.ps1 Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: ASCII text, with no line terminators Size (bytes): 81 Entropy (8bit): 4.5717973695379355 Encrypted: false MD5: 42DECC8D181484B5A90DCC9B99EA8C23 SHA1: C02CC200E1B6FAA742411D216CE3062C50637711 SHA-256: B495E920132E5B191D7D338F249E603A9A5F12F34BA456D7DD4F4A807807A4F5 SHA-512: E68873CDD4E381D51392E03B2452443F8871044A100D57DD2B4B30CDFF9E236D26220FB9D63DB656EF6843C3493AFABD57CA1F9E525EAC03497B891225AAE0D9 Malicious: false Preview: # PowerShell test file to determine AppLocker lockdown mode 10/1/2019 11:55:34 PM

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rjfhzmpb.rgf.psm1 Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: ASCII text, with no line terminators Size (bytes): 81 Entropy (8bit): 4.5717973695379355 Encrypted: false MD5: 42DECC8D181484B5A90DCC9B99EA8C23 SHA1: C02CC200E1B6FAA742411D216CE3062C50637711 SHA-256: B495E920132E5B191D7D338F249E603A9A5F12F34BA456D7DD4F4A807807A4F5 SHA-512: E68873CDD4E381D51392E03B2452443F8871044A100D57DD2B4B30CDFF9E236D26220FB9D63DB656EF6843C3493AFABD57CA1F9E525EAC03497B891225AAE0D9 Malicious: false Preview: # PowerShell test file to determine AppLocker lockdown mode 10/1/2019 11:55:34 PM

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xhao1z2n.i1x.psm1 Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Copyright Joe Security LLC 2019 Page 18 of 51 C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xhao1z2n.i1x.psm1 File Type: ASCII text, with no line terminators Size (bytes): 81 Entropy (8bit): 4.5224146534885525 Encrypted: false MD5: FC6CFCFDEA398EDB016A1672934AC7BE SHA1: 31CBA7B9A47DF05281652B9ABAD12BB0CCC345CF SHA-256: 06B7863D28E394D264974D3594A6A13416D21838215DF57D2A70B90922073C91 SHA-512: 2BB106A0E3C552A067ECB00AFE3588D604B2ACB8CF06D8307EF908150484478EFBFF765CA9BF0BE2B52B6F19AD38E1A03D2B36E28525FA21BC743D31E74F587 1 Malicious: false Preview: # PowerShell test file to determine AppLocker lockdown mode 10/1/2019 11:55:29 PM

C:\Users\user\AppData\Local\Temp\shiFE2F.tmp

Process: C:\Users\user\Downloads\FL2000-2.1.34054.0.exe File Type: PE32+ executable (DLL) (console) x86-64, for MS Windows Size (bytes): 4070400 Entropy (8bit): 6.189876613469743 Encrypted: false MD5: 71A25F5901A58354EDA73A500FABA9FF SHA1: 871C0D6E6FA19F8976FEDE4EDD3C6B8AD18EA5FA SHA-256: A30BD6BBE26342A4FA5300606DB99EA414CD4FAE3886BA5F29CFA6488AAAED82 SHA-512: F8828714C9A98504FB92B0050B1A6286BF569798AB828BBC511517F8B89655EBEA8CD2FF9FB4C71F607BB6500414A36DEF41E5CE775A32EE6E5140270F33203B Malicious: false Antivirus: Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... hR...... Rich ...... PE..d...... " ...... 0...... >...... }>...`A...... ^;..$....;...... @=...... 0<...... `>..0..0Z2.T...... 1...... 1...... text...w.0...... 0...... `.rdata..4.....0...... 0...... @[email protected]....;..0....;...... @....pdata...... 0<...... ;...... @[email protected]...... @=...... <...... @[email protected]...`>..2....=...... @..B......

C:\Users\user\AppData\Local\Temp\tinA830.tmp.part Process: C:\Users\user\Desktop\FL2000-2.1.33676.0.exe File Type: HTML document, ISO-8859 text, with very long lines Size (bytes): 12585 Entropy (8bit): 5.700500834413338 Encrypted: false MD5: 19FEC999D99F9073AD35493767949967 SHA1: 3F8BD4C5BFF3E793D557F56CAF549535661C308B SHA-256: 345A442F9AA0D969D57B67CF05F8009D5E77439A0768EA26A75E556C5A3CAAFC SHA-512: 2A0ED055763DEA2CD3EA2E84E46D27A2EC062CAC9C9A3F4D2733AF1A91AE3CD58C051E94CAB6D6E693FA0F134B6A670D6A808B9E028BEFD0FFFAAF5AD66F C844 Malicious: false Preview:

C:\Users\user\AppData\Local\Temp\updADCE.tmp.part Process: C:\Users\user\Desktop\FL2000-2.1.33676.0.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 1831 Entropy (8bit): 5.337541339418556 Encrypted: false MD5: 54AB87D570346F70EAE42ABAC0CEE76B SHA1: A4CB1890225F6E37E2488B4E69FB6BF00F168BAA SHA-256: 7FBD8678415BF9F7A462A290F74FA32B148FE05C54B73F9C6FB01B38D919C690 SHA-512: 5F4F95417BEC805AB6B2B2C10D284D5CF7C78E2C6DD42FBCDAAE9BF78D71249C205AEAD6A7E0C35C3C0293DB40763BB1E80348288B48F1B7CFD4B1E2EAF26 1D1 Malicious: false Preview: ;aiu;....[FL2000-2.1.34054.0]..Name = Fresco Logic USB Display Driver 2.1.34054.0..ProductVersion = 2.1.34054.0..URL = http://updates.frescologic.com/FL2000/FL2000- 2.1.34054.0.exe..Size = 8058744..ReleaseDate = 23/11/2017..MD5 = 18b0139ca76e7447bc64f9a812f4a9f2..CommandLine = /qn..ServerFileName = FL2000-2.1. 34054.0.exe..Flags = SilentInstall..RegistryKey = HKUD\Software\Fresco Logic\Fresco Logic USB Display Driver\Version..Version = 2.1.34054.0..Replaces = All....[ FL2000-2.1.33788.0]..Name = Fresco Logic USB Display Driver 2.1.33788.0..ProductVersion = 2.1.33788.0..URL = http://updates.frescologic.com/FL2000/FL2000-2.1.33 788.0.exe..Size = 8057920..ReleaseDate = 18/08/2017..MD5 = a26f77605f5a6bab00280f039e9b359c..CommandLine = /qn..ServerFileName = FL2000-2.1.33788.0.ex e..Flags = SilentInstall..RegistryKey = HKUD\Software\Fresco Logic\Fresco Logic USB Display Driver\Version..Version = 2.1.33788.0..Replaces = All....[FL2000-2.1 .33676.0]..Name = Fresco Logic USB Display Driver 2.1.33676.

Copyright Joe Security LLC 2019 Page 19 of 51 C:\Users\user\AppData\Roaming\Fresco Logic\Fresco Logic USB Display Driver 2.1.34054.0\install\FL2000.msi Process: C:\Users\user\Downloads\FL2000-2.1.34054.0.exe File Type: This installer database contains the logic and data required to install Fresco Logic USB Display Driver. Size (bytes): 7500167 Entropy (8bit): 7.592839130091192 Encrypted: false MD5: 96DD1ABF9BA59BA8C5CDC51C9337848B SHA1: 714E19D9653EB6FAB67F0FC9B353BFA9716E9381 SHA-256: 435A5529898B449779C4EEAA80D8C085604C36DA8C005FD16D25BB2A49B5D1A9 SHA-512: 121F125A341A1BA5294B96D838A10CE400E78471402BBA9AD21024418D14C073754DA609C51F9865DBED75B970A055814C593BDC70E086C07A29F275A0254226 Malicious: false Preview: ...... >......

C:\Users\user\Documents\20191001\PowerShell_transcript.562258.XaC_140a.20191001235534.txt Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: UTF-8 Unicode (with BOM) text, with CRLF line terminators Size (bytes): 933 Entropy (8bit): 4.9929850054364096 Encrypted: false MD5: CA7DB931CD978474D704FB07C7D6C05C SHA1: 3E2D51B27E9AD2AB427653D44AE7BEFF472345B6 SHA-256: 3EC699C82DC6319B6CC8D4CD85CF433E90F9190C2E1EDFD1B5D5D922AA05FBC1 SHA-512: 5A4D14227962AE5511048ABF1277F83302CD33FACBDBE29F7C6EF899FCE0DC3B6EFBD5E5FA877A6A509772F1B2ED480248E4A68A40DB743FE93B8203BECFA6 5E Malicious: false Preview: .**********************..Windows PowerShell transcript start..Start time: 20191001235534..Username: user-PC\user..RunAs User: user-PC\user..Configuration Name: ..Machine: 562258 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell [environment]::OsVersion.Version.Build..Process ID: 4056..PSVersion: 5.1.171 34.165..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.165..BuildVersion: 10.0.17134.165..CLRVersion: 4.0.30319.42000..WSManStackV ersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20191001235534..********** ************..PS>[environment]::OsVersion.Version.Build..17134..**********************..Command start time: 20191001235535..**********************..PS>$global:?..True..** ********************..Windows PowerShell transcript end..End time: 20191001235535..**********************..

C:\Users\user\Documents\20191001\PowerShell_transcript.562258.eQFDIvhn.20191001235528.txt Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: UTF-8 Unicode (with BOM) text, with CRLF line terminators Size (bytes): 930 Entropy (8bit): 4.992337096385313 Encrypted: false MD5: 75EBBE8153121AFEAAAC2C7B4BE1302C SHA1: 0EED5F038BF7F9CE697E55A43173E673C6564DD7 SHA-256: 6AFB5A033B810DA7B1611E8F41984962CCFAC789F4C404B28419D7BAF3BB6E63 SHA-512: 01220B03EB2840E91DB088F37CE6E12FA23C19AF6C9FA5BE11021D9D021B8243FF209C0A432BE3BD0E620547BA0D455EA6B6B81722F608E22907DF0DB0675600 Malicious: false Preview: .**********************..Windows PowerShell transcript start..Start time: 20191001235529..Username: user-PC\user..RunAs User: user-PC\user..Configuration Name: ..Machine: 562258 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell [environment]::OsVersion.Version.Major..Process ID: 4800..PSVersion: 5.1.171 34.165..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.165..BuildVersion: 10.0.17134.165..CLRVersion: 4.0.30319.42000..WSManStackV ersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20191001235529..********** ************..PS>[environment]::OsVersion.Version.Major..10..**********************..Command start time: 20191001235529..**********************..PS>$global:?..True..***** *****************..Windows PowerShell transcript end..End time: 20191001235529..**********************..

C:\Users\user\Downloads\FL2000-2.1.34054.0.exe.part

Process: C:\Users\user\Desktop\FL2000-2.1.33676.0.exe File Type: PE32 executable (GUI) Intel 80386, for MS Windows Size (bytes): 8058744 Entropy (8bit): 7.528930784926416 Encrypted: false MD5: 18B0139CA76E7447BC64F9A812F4A9F2 SHA1: 4B1163AC860F88696FFB54759E8DE9A5A581F878 SHA-256: 5E0590D6DCCC198B427C7C51CA5CC50448C2D4AAAE275322B1378D78058750E7 SHA-512: 9C22528A91835FA63DA8EDC334DC9AD3BB22CDDD17831F38CCC4A8A01A969DF8706C7B417FC5F2DD61F901F968A400D8ADE6C039080A06AD3E00B3815F39FD2 A Malicious: false Antivirus: Antivirus: Virustotal, Detection: 1%, Browse Antivirus: Metadefender, Detection: NaN%, Browse

Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... J...J...J .xJ...J .zJ...J .{J...J..K...J..K...Jq.K...J..K...J...J...J...J.. .J...J...J...J...J..K..J..vJ...J..K...JRich...J...... PE..L...... W...... 4...... %...... @...... 0...... V{...@...... (...(...... z...... 7...|..p...... P}...... `...@...... `...... text...v...... `.rdata...... @[email protected]....#...... @....gfids..8...... @[email protected]...... @....rsrc...... @[email protected]...... 8...... @..B......

C:\Windows\INF\oem3.inf Process: C:\Windows\System32\drvinst.exe File Type: Windows setup INFormation, ASCII text, with CRLF line terminators Size (bytes): 3011 Entropy (8bit): 5.4894439301116105 Encrypted: false MD5: DFF6F55358762EB9970450BE02DC316D SHA1: 02B94313A3DAF5BA27BCC4FAEA0716A0F660086C SHA-256: 01B2EB0F9C5E800981BA14668319B2A9B691DC208AE8079B0BD526E81931C7A0 SHA-512: E3258DE664A8B5377CF92EBCC92E58448C50685C279320EBC4A91774D0C4A78DA5E609110E462E48744A3558D9C1C9EEA202D3045967EEA00C3551B9C276641E Malicious: false Preview: ; fl2000.inf..; Fresco Logic Video Render Devices....[Version]..Signature="$WINDOWS NT$"..Class=AVClass..ClassGuid={E115CBB2-8F23-4BC3-9C78-DF56533EAA FB}..Provider=%FRESCO%..DriverVer=11/13/2017,2.1.34054.0..CatalogFile=fl2000.cat....[ClassInstall32]..Addreg=AVClassClassReg....[AVClassClassReg]..HKR ,,,0,%ClassName%..HKR,,Icon,,-5....[Manufacturer]..%FRESCO%=FL2000, NTx86, NTamd64....[FL2000.NTx86]..%FL2000.DeviceDesc%=FL2000_INSTALL, US B\VID_1D5C&PID_2000 ; FL2000...%Lenovo.DeviceDesc%=FL2000_INSTALL, USB\VID_17EF&PID_7209 ; Lenovo...%NoBrand.DeviceDesc%=FL2000_INSTALL, USB\VID_1D5C&PID_1FFE ; no brand..%Insignia.DeviceDesc%=FL2000_INSTALL, USB\VID_1D5C&PID_1998 ; Insignia....[FL2000.NTAMD64]..%FL2000.Devi ceDesc%=FL2000_INSTALL, USB\VID_1D5C&PID_2000 ; FL2000...%Lenovo.DeviceDesc%=FL2000_INSTALL, USB\VID_17EF&PID_7209 ; Lenovo...%NoBrand.D eviceDesc%=FL2000_INSTALL, USB\VID_1D5C&PID_1FFE ; no brand..%Insignia.DeviceDesc%=FL2000_INSTALL, USB\VID_1D5C&PID_1998 ; Insignia....[FL2

C:\Windows\INF\oem4.inf Process: C:\Windows\System32\drvinst.exe File Type: Windows setup INFormation, ASCII text, with CRLF line terminators Size (bytes): 2763 Entropy (8bit): 5.3909418897820816 Encrypted: false MD5: BF0449963CB8E168DD7AA4BF41E444D7 SHA1: 7C22E1F94C4AE5334C0BEE70551B20BEE3C293FA SHA-256: 55041093261C95AF4320610260C0B2FDB04D6113345EBFE4BB435038A21162AC SHA-512: 90756D61A5E74A0AFED74E4EFB37C418CC4FBBE46D31341139EBBA205E08F6EC50DA3BC18F7C2C491ABB4B3DB9012386C69C3D64CCE9708896AC48D76232E3 A1 Malicious: false Preview: ;..;..;Module Name:..;..; lci_proxykmd.INF..;..;Abstract:..; Fresco Logic Display Proxy Driver..;..;..[Version]..Signature="$WINDOWS NT$"..Class=System..ClassGuid={ 4d36e97d-e325-11ce-bfc1-08002be10318}..Provider=%FrescoLogic%..DriverVer=11/13/2017,2.1.34054.0..CatalogFile=lci_proxykmd.cat....[DestinationDirs]..De faultDestDir = 12..lci_proxykmd.CopyFiles = 12 ; drivers..lci_proxyumd.CopyFiles = 11 ; system32..lci_proxyumdwow.CopyFiles = 10, SysWow64 ; x64-specific....[SourceDisksNames.x86]..1=%DiskId1%, lci_proxykmd.sys,,\x86..1=%DiskId1%, lci_proxyumd.dll,,\x86....[SourceDisksNames.amd64 ]..1=%DiskId1%, lci_proxykmd.sys,,\x64..1=%DiskId1%, lci_proxyumd.dll,,\x64..1=%DiskId1%, lci_proxyumd32.dll,,\x64....[SourceDisksFiles.x86]..lci_proxykmd.sys = 1..lci_proxyumd.dll = 1....[SourceDisksFiles.amd64]..lci_proxykmd.sys = 1..lci_proxyumd.dll = 1..lci_proxyumd32.dll = 1...... ;****************************************

C:\Windows\INF\oem5.inf Process: C:\Windows\System32\drvinst.exe File Type: Windows setup INFormation, Little-endian UTF-16 Unicode text, with CRLF, CR line terminators Size (bytes): 4640 Entropy (8bit): 3.7942199187916312 Encrypted: false MD5: 67F83C75FF60B98155B0A34403B5375F SHA1: 9328342CF3E5994E24BB0C09FBD875141BEF3984 SHA-256: A36EC56FA17F39A2C4BA9441960E971CF3C1FFFCDC437746C7AA58BBF01DC8B9 SHA-512: 1D7748BAFA1C8BD6A33B90309D884C9B701BF6B15225EC0623489F64627AA6834260F26FBB2C8921D27B773A7567D7A16BAFB205DB927B2BE4D929F88B32F907 Malicious: false Preview: ..;.....;.M.o.d.u.l.e. .N.a.m.e.:.....;. . . . .f.r.e.s.c.o._.i.d.d.c.x...I.N.F.....;.....;.A.b.s.t.r.a.c.t.:.....;. . . . .I.N.F. .f.i.l.e. .f.o.r. .i.n.s.t.a.l.l.i.n.g. .t.h.e. .F.L.2.0.0.0. .U.M.D.F.2. .D.r. i.v.e.r.....;...... [.V.e.r.s.i.o.n.].....S.i.g.n.a.t.u.r.e.=.".$.W.i.n.d.o.w.s. .N.T.$.".....C.l.a.s.s.G.U.I.D. .=. .{.4.D.3.6.E.9.6.8.-.E.3.2.5.-.1.1.C.E.-.B.F.C.1.-.0.8.0.0.2.B.E.1.0.3. 1.8.}.....C.l.a.s.s. .=. .D.i.s.p.l.a.y.....C.l.a.s.s.V.e.r. .=. .2...0.....P.r.o.v.i.d.e.r.=.%.F.R.E.S.C.O.%.....C.a.t.a.l.o.g.F.i.l.e.=.f.r.e.s.c.o._.i.d.d.c.x...c.a.t.....D.r.i.v.e.r.V.e.r.=.1.1./. 1.3./.2.0.1.7.,.2...1...3.4.0.5.4...0...... [.D.e.s.t.i.n.a.t.i.o.n.D.i.r.s.].....D.e.f.a.u.l.t.D.e.s.t.D.i.r. .=. .1.2.....U.M.D.r.i.v.e.r.C.o.p.y.=.1.2.,.U.M.D.F. .;. .c.o.p.y. .t.o. .d.r.i.v.e.r. s.\.u.m.d.f...... [.S.o.u.r.c.e.D.i.s.k.s.N.a.m.e.s...x.8.6.].....1.=.%.D.I.S.K._.N.A.M.E.%.,.,...... [.S.o.u.r.c.e.D.i.s.k.s.N.a.m.e.s...a.m.d.6.4.].....1.=.%.D.I.S.K._.N.A.M.E.%.,.,...... [.S.

C:\Windows\System32\DriverStore\FileRepository\fl2000.inf_amd64_c6887e95b10ab4f4\FL2000.PNF Process: C:\Windows\System32\msiexec.exe File Type: data Size (bytes): 10612 Entropy (8bit): 3.617794998295327 Encrypted: false MD5: DC87E6C689D06AA81B21C26F0A0AF6D2 SHA1: 0C75134A4EBF26EDFA2B90A4C725B98348BBD669

Copyright Joe Security LLC 2019 Page 21 of 51 C:\Windows\System32\DriverStore\FileRepository\fl2000.inf_amd64_c6887e95b10ab4f4\FL2000.PNF SHA-256: D44A66D28027C343862CD87429DDFED9BE3FD8B83A88F40B9BE63893A614876F SHA-512: CDC663D098B4AC8F6F2BBE415F44DCBDA72B57D8DD0273873B35987583D2DBD03AA6DB262E6E2F563513989B21E2505B525F1B2E08D311A561DC745C8434E785 Malicious: false Preview: ...... 0...@...... d...... p...... @ ...... "..<...0&..h...... p)...... C.:.\.W.i.n.d.o.w.s.....H...... L...... X...... \...... X...... P...... $...,...... $...... T...... `...$...... 0...... p...... ,...... X......

C:\Windows\System32\DriverStore\FileRepository\fresco_iddcx.inf_amd64_c0a96d9de0966939\fresco_iddcx.PNF Process: C:\Windows\System32\msiexec.exe File Type: data Size (bytes): 8932 Entropy (8bit): 3.5834277657211797 Encrypted: false MD5: 0D9809D671FDB4C08FDA8622C4EF85C5 SHA1: 21F658D57F771B23BCCFDCBC2E42632C576C695E SHA-256: 3B354DC2CB424B571C5407DFE18DCEEC6AB5583B89E8B442348F2D02D4C9FCFE SHA-512: 61ED3A289D1FD03AD3E7D3D780B90FEFD4D6E650D3C04A2D0544CE7C4A966C02F8BF76E1A50307A7BCAB614E2D1049BCC1288F0358C1D3131FA017B6363ABE 71 Malicious: false Preview: ...... V...... d...... ,...... h...p...... `...<...... h...... "...... C.:.\.W.i.n.d.o.w.s...... H...... L...... P...... H...... 0...... H...... ,...... X...... d...... x...... |...... h...... d...... 8......

C:\Windows\System32\DriverStore\FileRepository\lci_proxykmd.inf_amd64_ace2d311f3c3f377\lci_proxykmd.PNF Process: C:\Windows\System32\msiexec.exe File Type: data Size (bytes): 8884 Entropy (8bit): 3.496886914720003 Encrypted: false MD5: 86D14089A0F4487CEC4CEFAC1273BF09 SHA1: 65F6B68A90F04CDADBD1568120D89AC1122AC66E SHA-256: 213C188843E13957289700DF7E223A2D982C9A732FFEA0D289F5F5BB5BB08E85 SHA-512: 0EB0CEE87BF952313AC6BBF9EADC9DCB375CB1DA0257ED312CB3CF962F8DFED0C7E22BCFDAD370ACC9964F7A0F851BB70B82698735490070D9EA9F660663D 6EC Malicious: false Preview: ...... :...... -.d...... |...P...... p...... h...... "...... C.:.\.W.i.n.d.o.w.s...... 0...... |...... @...... 8...... T...... 8...... $...... t...... @......

C:\Windows\System32\DriverStore\Temp\{0bf3b1a2-40ed-504a-ad97-e9f95d2955ea}\x64\SET5364.tmp Process: C:\Windows\System32\drvinst.exe File Type: PE32+ executable (native) x86-64, for MS Windows Size (bytes): 2481854 Entropy (8bit): 7.602212707569997 Encrypted: false MD5: 42F05B2900DC899718655B705ED8B8AE SHA1: F852FFAFEEF8159DEB44457800026F8F3ED21A38 SHA-256: 7A8B3773280B208983C6B04DB4CEA4DF3F4900D85E831DA73FC61716B1A93941 SHA-512: C5FD117E1BAF667155BA609DE8F8909316EAC7AFF963CF732E38161766A3971CF3E140FDD5FEFA8E5910215A28758D346F9DF4B603AE6BBD14B9A1DD1F9DFC4 D Malicious: false Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... j...j...j...7...j....I..j...j..j...7..j...7..j...7..j..b4..j..g4...j..b4..j..Rich.j...... PE..d...... Z...... "...... >...... @...... @...... o.....`...... P...... ?...... [email protected]...... 8...... x...... text...... h.rdata...... @..H.data...... @....pdata...... f...... @..H.gfids...... t...... @..HP AGE.....!...... "...v...... `INIT....V...... b.rsrc....?...... @...... @..H.reloc..D....0...... @..B......

C:\Windows\System32\DriverStore\Temp\{69598ca3-6468-204d-9942-c16861403e68}\x64\SET65D3.tmp Process: C:\Windows\System32\drvinst.exe File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Size (bytes): 437126 Entropy (8bit): 6.536954162154328 Encrypted: false MD5: 0D8EB354F5A1FDAB6D80DF304EDE7705 SHA1: 3404818E4E9DF8EE29E2FC1BE96B374B325A5DB9 SHA-256: 44F33D41B1C876920C645C873F554EFF039FB2CBF9D317DFE4C85C6BE700D11E

Copyright Joe Security LLC 2019 Page 22 of 51 C:\Windows\System32\DriverStore\Temp\{69598ca3-6468-204d-9942-c16861403e68}\x64\SET65D3.tmp SHA-512: 03416C43C2B305BE4567DD3E8CF4152515BCA8AC582C53C7782337A5B1C95C39D21D96F7EFD9DA5B3B2A919A6FD17F780C999E0263A4C6EF7DA91581F3E41D7 F Malicious: false Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... v.X.v.X.v.X.+.Y.v.X.+.Y.v.X.(.Y.v.X.(.Y.v.X.(.Y.v.X.+.Y.v .X.v.X.v.X.+.Y.v.Xu(.Y.v.Xu(.Y.v.Xu(.Y.v.Xp(;X.v.Xu(.Y.v.XRich.v.X...... PE..L...... Z...... !.....6...... P...... 0...... e)....@...... <...... @...... 8...... @...... P..$...... text....5...... 6...... `.rdata..bw...P...x...:...... @[email protected]...... @.... gfids...... @[email protected]...... @[email protected]...... @..B......

C:\Windows\System32\DriverStore\Temp\{a7be26f5-441a-9842-b408-57d738e03dc0}\SET74E6.tmp Process: C:\Windows\System32\drvinst.exe File Type: data Size (bytes): 67726 Entropy (8bit): 6.554047673232434 Encrypted: false MD5: 355908AA428E5895FA72CAF392353685 SHA1: E2050E601EBA93BA3C95DCD69FCD431ADE3D3FA8 SHA-256: 080ACA40E67E725A2432F9B545EA91F22C44C07D1895CF522CEE12609CB43FBE SHA-512: CEF6892913BA3AE2F968DA04334A9F1ED3B15DE23A344E6D039C9805EA6B27C65F357F1D4FD5BC989C640F738F65D1B66BAEA9B3E6298D8B954A84BF82315A9 4 Malicious: false Preview: 0.#...*.H...... #.0.#....1.0...+...... 0.....+.....7...... 0...0...+.....7...... q.n.C...a..I..171123030418Z0...+.....7.....0...0....R5.8.4.4.0.9.C.8.A.7.2.4.2.E.9.F.2.6.6.2.F.C.5.C.5.9.2.2. 4.C.4.F.2.2.D.F.4.9.E.6...1..S0D..+.....7...1604...F.i.l.e...... "f.r.e.s.c.o._.i.d.d.c.x...d.l.l...0M..+.....7...1?0=0...+.....7...0...... 0!0...+...... XD..$..&b.\Y"LO".I.0X..+.....7. ..1J0H...O.S.A.t.t.r...... 22.:.6...1.,.2.:.6...2.,.2.:.6...3.,.2.:.1.0...0...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R7.9.6. 1.7.B.4.5.3.F.3.B.1.4.C.E.8.D.9.F.7.7.A.4.A.2.2.9.8.F.C.E.3.C.8.E.5.F.7.1...1..S0D..+.....7...1604...F.i.l.e...... "f.r.e.s.c.o._.i.d.d.c.x...d.l.l...0M..+.....7...1?0=0...+.....7...0...... 0!0...+...... ya{E?;...w..)..<._q0X..+.....7...1J0H...O.S.A.t.t.r...... 22.:.6...1.,.2.:.6...2.,.2.:.6...3.,.2.:.1.0...0...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8 .C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R9.3

C:\Windows\System32\catroot2\dberr.txt Process: C:\Windows\System32\drvinst.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 76 Entropy (8bit): 4.828354204900533 Encrypted: false MD5: 12E48FB5AAFE59A007ECEC16C9161EBC SHA1: F5519288A51CD8CF5F2FEDF5189C4E1E09115702 SHA-256: 42C507B730F7FC7B0521B9489A2FB52DE95145C0A3B53526637F7C379DFE7B73 SHA-512: DA05F07872ABD295CF816CEB7149D6DB9B6B4F86493978AE4EDEFE217F2E5227C7F6E02F77AE20CBE28A3AA54AD57D625911947C848B770484D9A4A73C1D48E 3 Malicious: false Preview: CatalogDB: 11:55:24 PM 10/1/2019: DONE Adding Catalog File (0ms): oem5.cat..

C:\Windows\System32\flvga_tray.exe

Process: C:\Windows\System32\xcopy.exe File Type: PE32+ executable (GUI) x86-64, for MS Windows Size (bytes): 457336 Entropy (8bit): 5.091151163818643 Encrypted: false MD5: 7B16174FF4C023F4A9DE26D7A6F678F8 SHA1: 816C598F031FC9A4BE18FB58B010EE9C19DCCA21 SHA-256: 9AB4B2CC06F425CDAB011E63793E1C1FEDA16352E5A607E5A6C45070AA4EBD53 SHA-512: 95E3E943FBDB792445D1F08FEA34E2E1DF0C3F6BAE0BB4D6A6FAB360EFE39872DF2A6E874652F42ADCFD3AB21268449CDA54C6106E7DBCD118C7886710466F C7 Malicious: true Antivirus: Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... bC...... ~...... ~...... ~...... f...... f...... ,...... )...... ,...... Rich...... PE..d...... Z...... "...... p...\...... Q...... @...... `...... V...... *...... <...... x@...... x....2..p...... @3...... text....o...... p...... `.rdata...... t...... @[email protected]....$...p...... Z...... @....pdata..<...... j...... @[email protected] ids...... @[email protected]....*...... ,...... @[email protected]...... @..B......

\Device\Null Process: C:\Windows\System32\sc.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 122 Entropy (8bit): 4.7381372398275685 Encrypted: false MD5: 6BBCFD360C0797E6650F0D3CB1C36109

Copyright Joe Security LLC 2019 Page 23 of 51 \Device\Null SHA1: E22B5F6A4654134D687A3908464E67FAA23D84FF SHA-256: DF023CA139E8DCB21F0D4A603B34AF95F980C1E388C97E4735DD698D0329113C SHA-512: 0281C1CC1B104C73F130068A905E37B75F3C3A40884D3E2CC421AEAF6A3C6B938393894FE750FA7DE44B9D0A25F9B3C11BB386FD133B3D710A549632ED9EA604 Malicious: false Preview: [SC] EnumQueryServicesStatus:OpenService FAILED 1060:....The specified service does not exist as an installed service.....

Domains and IPs

Contacted Domains

Name IP Active Malicious Antivirus Detection Reputation s3-us-west-2-w.amazonaws.com 54.231.177.2 true false high updates.frescologic.com unknown unknown false high

Contacted URLs

Name Malicious Antivirus Detection Reputation updates.frescologic.com/FL2000/FL2000-2.1.34054.0.exe false high updates.frescologic.com/FL2000_Updates.txt false high

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation https://www.google.co.uk/intl/en/about/products?tab=wh FL2000-2.1.33676.0.exe, 000000 false 0%, Virustotal, Browse low 00.00000003.1736572384.0000000 Avira URL Cloud: safe 000587000.00000004.00000001.sdmp www.google.co.uk/imghp?hl=en&tab=wi FL2000-2.1.33676.0.exe, 000000 false 0%, Virustotal, Browse low 00.00000003.1736572384.0000000 Avira URL Cloud: safe 000587000.00000004.00000001.sdmp updates.frescologic.com/FL2000/FL2000- FL2000-2.1.33676.0.exe, 000000 false high 2.1.33676.0.exe 00.00000003.1740059495.0000000 0036C0000.00000004.00000001.sdmp, updADCE.tmp.part.0.dr updates.frescologic.com/FL2000/FL2000_Updates.txt-N msiexec.exe, 00000005.00000003 false high .2022167087.0000023EF9A29000.0 0000004.00000001.sdmp updates.frescologic.com/FL2000/FL2000- FL2000-2.1.33676.0.exe, 000000 false high 2.1.33581.0.exe 00.00000003.1740059495.0000000 0036C0000.00000004.00000001.sdmp, updADCE.tmp.part.0.dr updates.frescologic.com/FL2000_Updates.txtii FL2000-2.1.33676.0.exe, 000000 false high 03.00000002.1760837736.0000000 0009F8000.00000004.00000020.sdmp updates.frescologic.com/FL2000/FL2000_Updates.txt FL2000-2.1.33676.0.exe, FL2000- false high 2.1.33676.0.exe, 00000000.000 00003.1799111394.0000000000586 000.00000004.00000001.sdmp, FL2000- 2.1.34054.0.exe, FL2000-2.1.34054.0 .exe, 00000004.00000003.202785 9093.0000000000904000.00000004 .00000001.sdmp, msiexec.exe, 0 0000005.00000003.2020620263.00 00023EFD978000.00000004.000000 01.sdmp, msiexec.exe, 00000005 .00000003.2015799799.0000023EF C1F0000.00000004.00000001.sdmp, msiexec.exe, 00000005.000000 03.1809227229.0000023EF99A7000 .00000004.00000001.sdmp, msiex ec.exe, 00000005.00000003.1983 367008.0000023EFC310000.000000 04.00000001.sdmp, FL2000-2.1.3 4054.0.exe.part.0.dr updates.frescologic.com/ FL2000-2.1.33676.0.exe, FL2000- false high 2.1.33676.0.exe, 00000000.000 00003.1740271156.0000000000531 000.00000004.00000001.sdmp www.youtube.com/?gl=GB&tab=w1 FL2000-2.1.33676.0.exe, 000000 false high 00.00000003.1736572384.0000000 000587000.00000004.00000001.sdmp

Copyright Joe Security LLC 2019 Page 24 of 51 Name Source Malicious Antivirus Detection Reputation ocsp.thawte.com0 FL2000-2.1.34054.0.exe, 000000 false Avira URL Cloud: safe unknown 04.00000003.1808060547.0000000 Google Safe Browsing: safe 000941000.00000004.00000001.sdmp, msiexec.exe, 00000005.0000 0003.1811318068.0000023EF9A290 00.00000004.00000001.sdmp, drv inst.exe, 0000000C.00000003.18 82504210.000001F25FD51000.0000 0004.00000001.sdmp, drvinst.exe, 0000000D.00000003.189915436 9.000002F7F31C5000.00000004.00 000001.sdmp, drvinst.exe, 0000 000E.00000003.1909044451.00000 2DF5E06C000.00000004.00000001. sdmp, xcopy.exe, 00000011.0000 0002.1919282813.00000201315120 00.00000004.00000020.sdmp, FL2000- 2.1.33676.0.exe updates.frescologic.com/FL2000/FL2000_Updates.txtq msiexec.exe, 00000005.00000003 false high .1809599668.0000023EF99A7000.0 0000004.00000001.sdmp updates.frescologic.com/FL2000_Updates.txtk FL2000-2.1.33676.0.exe, 000000 false high 00.00000002.1805088639.0000000 00051B000.00000004.00000020.sdmp www.advancedinstaller.com0 msiexec.exe, 00000005.00000002 false Avira URL Cloud: safe unknown .2025881574.0000023EFD9C5000.0 0000004.00000001.sdmp, FL2000- 2.1.33676.0.exe www.yahoo.com FL2000-2.1.33676.0.exe, FL2000- false high 2.1.34054.0.exe www.google.co.uk/history/optout?hl=en FL2000-2.1.33676.0.exe, 000000 false 0%, Virustotal, Browse low 00.00000003.1736572384.0000000 Avira URL Cloud: safe 000587000.00000004.00000001.sdmp updates.frescologic.com/No_Updates.txt# msiexec.exe, 00000005.00000003 false high .1809599668.0000023EF99A7000.0 0000004.00000001.sdmp updates.frescologic.com/FL2000/FL2000- FL2000-2.1.33676.0.exe, 000000 false high 2.1.33788.0.exe 00.00000003.1740059495.0000000 0036C0000.00000004.00000001.sdmp, updADCE.tmp.part.0.dr updates.frescologic.com/FL2000_Updates.txt; FL2000-2.1.33676.0.exe, 000000 false high 00.00000003.1740271156.0000000 000531000.00000004.00000001.sdmp updates.frescologic.com/FL2000/FL2000- FL2000-2.1.33676.0.exe, 000000 false high 2.1.34054.0.exe) 00.00000002.1805088639.0000000 00051B000.00000004.00000020.sdmp, FL2000-2.1.33676.0.exe, 00000000.000 00003.1740271156.0000000000531 000.00000004.00000001.sdmp updates.frescologic.com/FL2000_Updates.txtZ FL2000-2.1.33676.0.exe, 000000 false high 02.00000002.1782463331.0000000 000528000.00000004.00000020.sdmp maps.google.co.uk/maps?hl=en&tab=wl FL2000-2.1.33676.0.exe, 000000 false 0%, Virustotal, Browse low 00.00000003.1736572384.0000000 Avira URL Cloud: safe 000587000.00000004.00000001.sdmp crl.thawte.com/ThawteTimestampingCA.crl0 FL2000-2.1.34054.0.exe, 000000 false high 04.00000003.1808060547.0000000 000941000.00000004.00000001.sdmp, msiexec.exe, 00000005.0000 0003.1811318068.0000023EF9A290 00.00000004.00000001.sdmp, drv inst.exe, 0000000C.00000003.18 82504210.000001F25FD51000.0000 0004.00000001.sdmp, drvinst.exe, 0000000D.00000003.189915436 9.000002F7F31C5000.00000004.00 000001.sdmp, drvinst.exe, 0000 000E.00000003.1909044451.00000 2DF5E06C000.00000004.00000001. sdmp, xcopy.exe, 00000011.0000 0002.1919282813.00000201315120 00.00000004.00000020.sdmp, FL2000- 2.1.33676.0.exe news.google.co.uk/nwshp?hl=en&tab=wn FL2000-2.1.33676.0.exe, 000000 false 0%, Virustotal, Browse low 00.00000003.1736572384.0000000 Avira URL Cloud: safe 000587000.00000004.00000001.sdmp https://www.thawte.com/cps0/ msiexec.exe, 00000005.00000002 false high .2025881574.0000023EFD9C5000.0 0000004.00000001.sdmp, FL2000- 2.1.33676.0.exe updates.frescologic.com/FL2000/FL2000- FL2000-2.1.33676.0.exe, 000000 false high 2.1.34054.0.exe/ 00.00000002.1805088639.0000000 00051B000.00000004.00000020.sdmp Copyright Joe Security LLC 2019 Page 25 of 51 Name Source Malicious Antivirus Detection Reputation updates.frescologic.com/FL2000_Updates.txtXXNnPNU FL2000-2.1.33676.0.exe, 000000 false high 00.00000002.1804939882.0000000 0004EA000.00000004.00000020.sdmp updates.frescologic.com/No_Updates.txt msiexec.exe, 00000005.00000003 false high .2015382002.0000023EFC1F0000.0 0000004.00000001.sdmp, msiexec.exe, 00000005.00000003.1983013580.00000 23EFC310000.00000004.00000001. sdmp, msiexec.exe, 00000005.00 000003.2022167087.0000023EF9A2 9000.00000004.00000001.sdmp https://www.thawte.com/repository0 FL2000-2.1.33676.0.exe false high schemas.xmlsoap.org/ws/2005/05/identity/claims/name powershell.exe, 00000013.00000 false high 002.1931444396.000001EAE69F000 0.00000004.00000001.sdmp, powe rshell.exe, 00000016.00000002. 1950640172.000002CB247BA000.00 000004.00000001.sdmp updates.frescologic.com/No_Updates.txt? msiexec.exe, 00000005.00000003 false high .1809259973.0000023EF999A000.0 0000004.00000001.sdmp

Contacted IPs

No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs

Public

IP Country Flag ASN ASN Name Malicious 54.231.177.2 United States 16509 unknown false

Static File Info

General File type: PE32 executable (GUI) Intel 80386, for MS Windows Entropy (8bit): 7.526448176341106

Copyright Joe Security LLC 2019 Page 26 of 51 General TrID: Win32 Executable (generic) a (10002005/4) 99.94% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Java Script embedded in Visual Basic Script (1500/0) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00% File name: FL2000-2.1.33676.0.exe File size: 8033240 MD5: 18d9da8e28b2704aaa5bba34cbdfc8f8 SHA1: 0390ec416d74502ec2acc920db132b4d3e8dd4af SHA256: f1969b1ce2a8ed547348a4009ab3be4f4d97a4f2df6031a e5c1f62cc7d0b3278 SHA512: 0e3e00b29603e8d6af1a277154c42e526e103716b63260 2a38469fb8eee54ad8231bd710dcccab3386fff3c342213 db891e8811f72d046b8d507885afc2101e7 SSDEEP: 98304:oXpTTfL5m2GMGSY5Ay5AfzCweiY5AgbrTRYX XzQHMcOloIJ11aSGfzFdL7AS7tVY:keTwe5ojMFU91P GpR7ASZVjbg File Content Preview: MZ...... @...... !..L.!Th is program cannot be run in DOS mode....$...... J...J ...J .xJ...J .zJ...J .{J...J...K...J...K...Jq..K...J...K...J...J...J.. .J...J...J...J...J...J...K...J..vJ...J...K...

File Icon

Icon Hash: 6969edc3919092e0

Static PE Info

General

Entrypoint: 0x43251d Entrypoint Section: .text Digitally signed: true Imagebase: 0x400000 Subsystem: windows gui Image File Characteristics: 32BIT_MACHINE, EXECUTABLE_IMAGE DLL Characteristics: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT Time Stamp: 0x5787A993 [Thu Jul 14 15:02:43 2016 UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 5 OS Version Minor: 1 File Version Major: 5 File Version Minor: 1 Subsystem Version Major: 5 Subsystem Version Minor: 1 Import Hash: a85d1ff8430aa5b4659e57bfe09aba1f

Authenticode Signature

Signature Valid: true Signature Issuer: CN=DigiCert EV Code Signing CA (SHA2), OU=www.digicert.com, O=DigiCert Inc, C=US Signature Validation Error: The operation completed successfully Error Number: 0 Not Before, Not After 5/2/2016 5:00:00 PM 5/8/2019 5:00:00 AM Subject Chain CN="Fresco Logic, Inc", O="Fresco Logic, Inc", L=Beaverton, S=Oregon, C=US, PostalCode=97005, STREET="Cascade Plaza West, Suite #230", STREET=12655 SW Center St, SERIALNUMBER=488117-98, OID.1.3.6.1.4.1.311.60.2.1.2=Oregon, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization Version: 3 Thumbprint MD5: 0BB0573972CD0DE62A5C9C4F921B60C8 Thumbprint SHA-1: FA1FE90863B83057B61A8E4A099B95FF9A047014 Thumbprint SHA-256: E46211C5FEC1D1107FE59485CB4F70965BB5A28095FE5C336870F130B1A686C3 Serial: 0407B711F972C5DB5492D7A96D097D84

Instruction call 00007F6338590217h jmp 00007F633858FAF3h jmp dword ptr [0044B260h] push ebp mov ebp, esp test byte ptr [ebp+08h], 00000001h push esi mov esi, ecx mov dword ptr [esi], 0044B5C0h je 00007F633858FC6Ch push 0000000Ch push esi call 00007F633858F7BEh pop ecx pop ecx mov eax, esi pop esi pop ebp retn 0004h push ecx lea ecx, dword ptr [esp+08h] sub ecx, eax and ecx, 0Fh add eax, ecx sbb ecx, ecx or eax, ecx pop ecx jmp 00007F633859033Fh push ecx lea ecx, dword ptr [esp+08h] sub ecx, eax and ecx, 07h add eax, ecx sbb ecx, ecx or eax, ecx pop ecx jmp 00007F6338590329h push ebp mov ebp, esp sub esp, 00000324h push ebx push esi push 00000017h call 00007F63385A6925h test eax, eax je 00007F633858FC67h mov ecx, dword ptr [ebp+08h] int 29h xor esi, esi lea eax, dword ptr [ebp-00000324h] push 000002CCh push esi push eax mov dword ptr [0045C334h], esi call 00007F6338590324h add esp, 0Ch mov dword ptr [ebp-00000274h], eax mov dword ptr [ebp-00000278h], ecx mov dword ptr [ebp-0000027Ch], edx mov dword ptr [ebp-00000280h], ebx mov dword ptr [ebp-00000284h], esi mov dword ptr [ebp-00000288h], edi

Copyright Joe Security LLC 2019 Page 28 of 51 Instruction mov word ptr [ebp-0000025Ch], ss mov word ptr [ebp+00FFFD98h], cs

Rich Headers

Programming Language: [C++] VS2008 SP1 build 30729 [RES] VS2015 UPD3 build 24213 [ C ] VS2008 SP1 build 30729 [IMP] VS2008 SP1 build 30729

Data Directories

Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0x59d28 0x28 .rdata IMAGE_DIRECTORY_ENTRY_RESOURCE 0x60000 0xeb0c .rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0 IMAGE_DIRECTORY_ENTRY_SECURITY 0x7a7178 0x2260 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x6f000 0x37ec .reloc IMAGE_DIRECTORY_ENTRY_DEBUG 0x57ce0 0x70 .rdata IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x57d50 0x18 .rdata IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x4b560 0x40 .rdata IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x4b000 0x260 .rdata IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x5899c 0x1c0 .rdata IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0

Sections

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x1000 0x49476 0x49600 False 0.571327326448 data 6.62273338447 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .rdata 0x4b000 0xfaca 0xfc00 False 0.395352802579 data 4.84047386917 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ .data 0x5b000 0x23f4 0x1000 False 0.297119140625 data 3.28409806556 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .gfids 0x5e000 0x138 0x200 False 0.439453125 data 2.7504074177 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ .tls 0x5f000 0x9 0x200 False 0.033203125 data 0.0203931352361 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .rsrc 0x60000 0xeb0c 0xec00 False 0.16791909428 data 4.07123777807 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ .reloc 0x6f000 0x37ec 0x3800 False 0.774135044643 data 6.72409540312 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_DISCARDABL E, IMAGE_SCN_MEM_READ

Resources

Name RVA Size Type Language Country IMAGE_FILE 0x607d0 0x6 ISO-8859 text, with no line terminators English United States IMAGE_FILE 0x607d8 0x6 ISO-8859 text, with no line terminators English United States RTF_FILE 0x607e0 0x2e9 Rich Text Format data, version 1, ANSI English United States RTF_FILE 0x60acc 0xa1 Rich Text Format data, version 1, ANSI English United States RT_ICON 0x60b70 0x4228 dBase IV DBT of \200.DBF, blocks size 0, block length English United States 16896, next free block index 40, next free block 0, next used block 4294901760 RT_ICON 0x64d98 0x25a8 data English United States RT_ICON 0x67340 0x10a8 data English United States RT_ICON 0x683e8 0x988 data English United States RT_ICON 0x68d70 0x468 GLS_BINARY_LSB_FIRST English United States RT_MENU 0x691d8 0x5c data English United States RT_MENU 0x69234 0x2a data English United States RT_DIALOG 0x69260 0xac data English United States RT_DIALOG 0x6930c 0x2a6 data English United States Copyright Joe Security LLC 2019 Page 29 of 51 Name RVA Size Type Language Country

RT_DIALOG 0x695b4 0x3b4 data English United States RT_DIALOG 0x69968 0xbc data English United States RT_DIALOG 0x69a24 0x204 data English United States RT_DIALOG 0x69c28 0x282 data English United States RT_DIALOG 0x69eac 0xcc data English United States RT_DIALOG 0x69f78 0x146 data English United States RT_DIALOG 0x6a0c0 0x226 data English United States RT_DIALOG 0x6a2e8 0x388 data English United States RT_DIALOG 0x6a670 0x1b4 data English United States RT_DIALOG 0x6a824 0x136 data English United States RT_STRING 0x6a95c 0x45c data English United States RT_STRING 0x6adb8 0x760 data English United States RT_STRING 0x6b518 0x2f8 data English United States RT_STRING 0x6b810 0x598 data English United States RT_STRING 0x6bda8 0x3e8 data English United States RT_STRING 0x6c190 0x7a6 data English United States RT_STRING 0x6c938 0x746 data English United States RT_STRING 0x6d080 0x7ba data English United States RT_STRING 0x6d83c 0x598 data English United States RT_STRING 0x6ddd4 0x186 data English United States RT_GROUP_ICON 0x6df5c 0x4c data English United States RT_VERSION 0x6dfa8 0x3ec data English United States RT_MANIFEST 0x6e394 0x775 XML 1.0 document, ASCII text, with CRLF line English United States terminators

Imports

DLL Import KERNEL32.dll WideCharToMultiByte, MultiByteToWideChar, HeapDestroy, HeapSize, HeapReAlloc, HeapFree, HeapAlloc, GetProcessHeap, RaiseException, SizeofResource, LockResource, LoadResource, FindResourceW, FindResourceExW, CreateFileW, WriteFile, GetLastError, GetModuleHandleW, GetProcAddress, GetSystemDirectoryW, LoadLibraryExW, FreeLibrary, lstrcmpiW, LeaveCriticalSection, EnterCriticalSection, GetModuleFileNameW, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThreadId, DecodePointer, CloseHandle, GetShortPathNameW, CreateEventW, GetCurrentProcessId, GetCommandLineW, SetCurrentDirectoryW, CreateThread, WaitForSingleObject, SetEvent, GetDriveTypeW, GetFileAttributesW, SetFileAttributesW, CopyFileW, GetExitCodeThread, SetLastError, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, GetTempPathW, GetTempFileNameW, DeleteFileW, FindFirstFileW, FindNextFileW, FindClose, RemoveDirectoryW, CreateDirectoryW, GetLogicalDriveStringsW, GetFileSize, ReadFile, GetDiskFreeSpaceExW, GetEnvironmentVariableW, SetFilePointer, SetEndOfFile, InterlockedExchange, EnumResourceLanguagesW, GetLocaleInfoW, GetSystemDefaultLangID, GetUserDefaultLangID, LoadLibraryW, GetSystemTime, SystemTimeToFileTime, FileTimeToSystemTime, CreateProcessW, GetExitCodeProcess, GetWindowsDirectoryW, GetCurrentProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, GetPrivateProfileStringW, GetPrivateProfileSectionNamesW, WritePrivateProfileStringW, OutputDebugStringW, InitializeCriticalSection, GetLocalTime, FlushFileBuffers, MulDiv, TerminateThread, CreateNamedPipeW, ConnectNamedPipe, FormatMessageW, GetFileTime, GetStdHandle, GetStringTypeW, GetLocaleInfoA, MoveFileW, ResetEvent, GlobalFree, GetVersionExW, Sleep, GlobalLock, GlobalUnlock, GlobalAlloc, LocalFree, LocalAlloc, CompareFileTime, CopyFileExW, IsDebuggerPresent, EncodePointer, InitializeSListHead, InterlockedPopEntrySList, InterlockedPushEntrySList, FlushInstructionCache, IsProcessorFeaturePresent, VirtualAlloc, VirtualFree, WaitForSingleObjectEx, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, GetStartupInfoW, QueryPerformanceCounter, GetSystemTimeAsFileTime, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, RtlUnwind, GetACP, ExitProcess, GetModuleHandleExW, GetFileType, GetCPInfo, IsValidCodePage, GetOEMCP, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, LCMapStringW, FindFirstFileExW, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetConsoleCP, GetConsoleMode, SetFilePointerEx, WriteConsoleW

Version Infos

Description Data LegalCopyright Copyright (C) 2017 Fresco Logic InternalName FL2000-2.1.33676.0 FileVersion 2.1.33676.0 CompanyName Fresco Logic ProductName Fresco Logic USB Display Driver ProductVersion 2.1.33676.0 FileDescription This installer database contains the logic and data required to install Fresco Logic USB Display Driver. OriginalFileName FL2000-2.1.33676.0.exe Translation 0x0409 0x04b0

Possible Origin

Language of compilation system Country where language is spoken Map

English United States

Network Behavior

Network Port Distribution

Total Packets: 33 • 53 (DNS) • 80 (HTTP)

TCP Packets

Timestamp Source Port Dest Port Source IP Dest IP Oct 1, 2019 23:54:33.627787113 CEST 49707 80 192.168.2.5 54.231.177.2 Oct 1, 2019 23:54:33.816222906 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:33.816477060 CEST 49707 80 192.168.2.5 54.231.177.2 Oct 1, 2019 23:54:33.817465067 CEST 49707 80 192.168.2.5 54.231.177.2 Oct 1, 2019 23:54:34.004801035 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:34.042659044 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:34.042692900 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:34.042709112 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:34.042865038 CEST 49707 80 192.168.2.5 54.231.177.2 Oct 1, 2019 23:54:34.079910994 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:34.080075026 CEST 49707 80 192.168.2.5 54.231.177.2 Oct 1, 2019 23:54:44.042938948 CEST 49707 80 192.168.2.5 54.231.177.2 Oct 1, 2019 23:54:44.230360985 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.287106991 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.287201881 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.287235022 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.287266970 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.287301064 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.287328005 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.287355900 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.287386894 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.287412882 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.287445068 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.287564993 CEST 49707 80 192.168.2.5 54.231.177.2 Oct 1, 2019 23:54:44.287846088 CEST 49707 80 192.168.2.5 54.231.177.2 Oct 1, 2019 23:54:44.320003033 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.320599079 CEST 49707 80 192.168.2.5 54.231.177.2 Oct 1, 2019 23:54:44.475004911 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.475179911 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.475208044 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.475234032 CEST 80 49707 54.231.177.2 192.168.2.5

Copyright Joe Security LLC 2019 Page 31 of 51 Timestamp Source Port Dest Port Source IP Dest IP Oct 1, 2019 23:54:44.475259066 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.475284100 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.475308895 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.475334883 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.475359917 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.475394011 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.475414991 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.475429058 CEST 49707 80 192.168.2.5 54.231.177.2 Oct 1, 2019 23:54:44.475435972 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.475456953 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.475477934 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.475498915 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.475517035 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.475538969 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.475558996 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.475579977 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.475754976 CEST 49707 80 192.168.2.5 54.231.177.2 Oct 1, 2019 23:54:44.508063078 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.508122921 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.508426905 CEST 49707 80 192.168.2.5 54.231.177.2 Oct 1, 2019 23:54:44.649976969 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.650266886 CEST 49707 80 192.168.2.5 54.231.177.2 Oct 1, 2019 23:54:44.662993908 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.663028955 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.663152933 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.663172007 CEST 49707 80 192.168.2.5 54.231.177.2 Oct 1, 2019 23:54:44.663191080 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.663219929 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.663247108 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.663274050 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.663301945 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.663326025 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.663350105 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.663377047 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.663404942 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.663410902 CEST 49707 80 192.168.2.5 54.231.177.2 Oct 1, 2019 23:54:44.663433075 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.663460016 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.663487911 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.663516045 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.663543940 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.663559914 CEST 49707 80 192.168.2.5 54.231.177.2 Oct 1, 2019 23:54:44.663570881 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.663598061 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.663625956 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.663650036 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.663676977 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.663702011 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.663728952 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.663753033 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.663779974 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.663790941 CEST 49707 80 192.168.2.5 54.231.177.2 Oct 1, 2019 23:54:44.663806915 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.663835049 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.663861990 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.663888931 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.663892031 CEST 49707 80 192.168.2.5 54.231.177.2 Oct 1, 2019 23:54:44.663916111 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.663944006 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.663990021 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.664000988 CEST 49707 80 192.168.2.5 54.231.177.2 Oct 1, 2019 23:54:44.664019108 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.664047003 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.664071083 CEST 80 49707 54.231.177.2 192.168.2.5

Copyright Joe Security LLC 2019 Page 32 of 51 Timestamp Source Port Dest Port Source IP Dest IP Oct 1, 2019 23:54:44.664097071 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.664160013 CEST 49707 80 192.168.2.5 54.231.177.2 Oct 1, 2019 23:54:44.695969105 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.695997953 CEST 80 49707 54.231.177.2 192.168.2.5 Oct 1, 2019 23:54:44.696043968 CEST 80 49707 54.231.177.2 192.168.2.5

UDP Packets

Timestamp Source Port Dest Port Source IP Dest IP Oct 1, 2019 23:54:25.735127926 CEST 64328 53 192.168.2.5 8.8.8.8 Oct 1, 2019 23:54:25.784380913 CEST 53 64328 8.8.8.8 192.168.2.5 Oct 1, 2019 23:54:32.336458921 CEST 60642 53 192.168.2.5 8.8.8.8 Oct 1, 2019 23:54:32.369864941 CEST 53 60642 8.8.8.8 192.168.2.5 Oct 1, 2019 23:54:33.588639975 CEST 61907 53 192.168.2.5 8.8.8.8 Oct 1, 2019 23:54:33.623744011 CEST 53 61907 8.8.8.8 192.168.2.5 Oct 1, 2019 23:55:18.504425049 CEST 49957 53 192.168.2.5 8.8.8.8 Oct 1, 2019 23:55:18.529735088 CEST 53 49957 8.8.8.8 192.168.2.5 Oct 1, 2019 23:55:19.507688046 CEST 49957 53 192.168.2.5 8.8.8.8 Oct 1, 2019 23:55:19.532891989 CEST 53 49957 8.8.8.8 192.168.2.5 Oct 1, 2019 23:55:20.596576929 CEST 49957 53 192.168.2.5 8.8.8.8 Oct 1, 2019 23:55:20.621880054 CEST 53 49957 8.8.8.8 192.168.2.5 Oct 1, 2019 23:55:22.589724064 CEST 49957 53 192.168.2.5 8.8.8.8 Oct 1, 2019 23:55:22.614866018 CEST 53 49957 8.8.8.8 192.168.2.5 Oct 1, 2019 23:55:26.604753971 CEST 49957 53 192.168.2.5 8.8.8.8 Oct 1, 2019 23:55:26.630000114 CEST 53 49957 8.8.8.8 192.168.2.5 Oct 1, 2019 23:56:30.736638069 CEST 61734 53 192.168.2.5 8.8.8.8 Oct 1, 2019 23:56:30.770160913 CEST 53 61734 8.8.8.8 192.168.2.5 Oct 1, 2019 23:56:31.739125013 CEST 61734 53 192.168.2.5 8.8.8.8 Oct 1, 2019 23:56:31.764322042 CEST 53 61734 8.8.8.8 192.168.2.5 Oct 1, 2019 23:56:32.743866920 CEST 61734 53 192.168.2.5 8.8.8.8 Oct 1, 2019 23:56:32.769125938 CEST 53 61734 8.8.8.8 192.168.2.5 Oct 1, 2019 23:56:34.754777908 CEST 61734 53 192.168.2.5 8.8.8.8 Oct 1, 2019 23:56:34.780004025 CEST 53 61734 8.8.8.8 192.168.2.5 Oct 1, 2019 23:56:38.762531996 CEST 61734 53 192.168.2.5 8.8.8.8 Oct 1, 2019 23:56:38.787801981 CEST 53 61734 8.8.8.8 192.168.2.5

DNS Queries

Timestamp Source IP Dest IP Trans ID OP Code Name Type Class Oct 1, 2019 23:54:33.588639975 CEST 192.168.2.5 8.8.8.8 0xd178 Standard query updates.fr A (IP address) IN (0x0001) (0) escologic.com

DNS Answers

Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class Oct 1, 2019 8.8.8.8 192.168.2.5 0xd178 No error (0) updates.fr updates.frescologic.com.s CNAME IN (0x0001) 23:54:33.623744011 escologic.com 3.amazonaws.com (Canonical CEST name) Oct 1, 2019 8.8.8.8 192.168.2.5 0xd178 No error (0) updates.fr s3-us-west-2- CNAME IN (0x0001) 23:54:33.623744011 escologic. w.amazonaws.com (Canonical CEST com.s3.ama name) zonaws.com Oct 1, 2019 8.8.8.8 192.168.2.5 0xd178 No error (0) s3-us-west-2- 54.231.177.2 A (IP address) IN (0x0001) 23:54:33.623744011 w.amazo CEST naws.com

HTTP Request Dependency Graph

updates.frescologic.com

HTTP Packets

Session ID Source IP Source Port Destination IP Destination Port Process 0 192.168.2.5 49707 54.231.177.2 80 C:\Users\user\Desktop\FL2000-2.1.33676.0.exe

Copyright Joe Security LLC 2019 Page 33 of 51 kBytes Timestamp transferred Direction Data Oct 1, 2019 22 OUT GET /FL2000_Updates.txt HTTP/1.1 23:54:33.817465067 CEST Accept: */* User-Agent: AdvancedInstaller Host: updates.frescologic.com Connection: Keep-Alive Cache-Control: no-cache Oct 1, 2019 22 IN HTTP/1.1 200 OK 23:54:34.042659044 CEST x-amz-id-2: +LrOQE5flBZMI5AUvkxX1iZjq4+N2Wj8rBeAKze//N15a3hGPuqIVr+XYXz3cY7QpMIi2TlHIWQ= x-amz-request-id: 637955EDB407B6A6 Date: Tue, 01 Oct 2019 21:54:34 GMT Last-Modified: Thu, 23 Nov 2017 08:11:44 GMT ETag: "54ab87d570346f70eae42abac0cee76b" Accept-Ranges: bytes Content-Type: text/plain Content-Length: 1831 Server: AmazonS3 Oct 1, 2019 25 OUT GET /FL2000/FL2000-2.1.34054.0.exe HTTP/1.1 23:54:44.042938948 CEST Accept: */* User-Agent: AdvancedInstaller Host: updates.frescologic.com Connection: Keep-Alive Cache-Control: no-cache Oct 1, 2019 26 IN HTTP/1.1 200 OK 23:54:44.287106991 CEST x-amz-id-2: KsE2HL6ABv/IJqyO+AffI8L9a8Zkc4U3zHpg8gghKmFFjgffDu7dY2ba8fWqvWAtpQKtrVg+mLs= x-amz-request-id: 7527789D6EE8EA70 Date: Tue, 01 Oct 2019 21:54:45 GMT Last-Modified: Thu, 23 Nov 2017 08:11:20 GMT ETag: "18b0139ca76e7447bc64f9a812f4a9f2" Accept-Ranges: bytes Content-Type: application/x-msdownload Content-Length: 8058744 Server: AmazonS3

Code Manipulations

Statistics

Behavior

• FL2000-2.1.33676.0.exe • FL2000-2.1.33676.0.exe • FL2000-2.1.33676.0.exe • FL2000-2.1.34054.0.exe • msiexec.exe • msiexec.exe • msiexec.exe • msiexec.exe • msiexec.exe • drvinst.exe • drvinst.exe • drvinst.exe • cmd.exe • conhost.exe • xcopy.exe • cmd.exe • powershell.exe • cmd.exe • powershell.exe • flvga_tray.exe • sc.exe • sc.exe • flvga_tray.exe • flvga_tray.exe

Click to jump to process

System Behavior

General

Start time: 23:54:30 Start date: 01/10/2019 Path: C:\Users\user\Desktop\FL2000-2.1.33676.0.exe Wow64 process (32bit): true Commandline: 'C:\Users\user\Desktop\FL2000-2.1.33676.0.exe' -install Imagebase: 0x340000 File size: 8033240 bytes MD5 hash: 18D9DA8E28B2704AAA5BBA34CBDFC8F8 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

File Activities

File Created

Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\tinA830.tmp read attributes | normal synchronous io success or wait 1 34B466 GetTempFileNameW synchronize | non alert | non generic read directory file C:\Users read data or list normal directory file | object name collision 1 34B8EE CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user read data or list normal directory file | object name collision 1 34B8EE CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData read data or list normal directory file | object name collision 1 34B8EE CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local read data or list normal directory file | object name collision 1 34B8EE CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp read data or list normal directory file | object name collision 1 34B8EE CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\tinA830.tmp.part read attributes | normal synchronous io success or wait 1 3648AD CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Users\user\AppData\Local\Temp\updADCE.tmp read attributes | normal synchronous io success or wait 1 34B466 GetTempFileNameW synchronize | non alert | non generic read directory file C:\Users read data or list normal directory file | object name collision 2 34B8EE CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user read data or list normal directory file | object name collision 2 34B8EE CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point

Copyright Joe Security LLC 2019 Page 35 of 51 Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData read data or list normal directory file | object name collision 1 34B8EE CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local read data or list normal directory file | object name collision 1 34B8EE CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp read data or list normal directory file | object name collision 1 34B8EE CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\updADCE.tmp.part read attributes | normal synchronous io success or wait 1 3648AD CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Users\user\Downloads read data or list normal directory file | object name collision 1 34B8EE CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\Downloads\FL2000-2.1.34054.0.exe.part read attributes | normal synchronous io success or wait 1 3648AD CreateFileW synchronize | non alert | non generic read | directory file generic write

File Deleted

Source File Path Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\tinA830.tmp success or wait 1 34B3FD DeleteFileW C:\Users\user\AppData\Local\Temp\tinA830.tmp success or wait 1 35A1DD DeleteFileW C:\Users\user\AppData\Local\Temp\updADCE.tmp success or wait 1 34B3FD DeleteFileW C:\Users\user\AppData\Local\Temp\updADCE.tmp success or wait 1 351CEC DeleteFileW

File Moved

Source Old File Path New File Path Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\tinA830.tmp.part C:\Users\user\AppData\Local\Temp\tinA830.tmp success or wait 1 36468F MoveFileW C:\Users\user\AppData\Local\Temp\updADCE.tmp.part C:\Users\user\AppData\Local\Temp\updADCE.tmp success or wait 1 36468F MoveFileW C:\Users\user\Downloads\FL2000-2.1.34054.0.exe.part C:\Users\user\Downloads\FL2000-2.1.34054.0.exe success or wait 1 36468F MoveFileW

File Written

Source File Path Offset Length Value Ascii Completion Count Address Symbol

Copyright Joe Security LLC 2019 Page 36 of 51 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\tinA830.tmp.part unknown 279 3c 21 64 6f 63 74 79 61 2e 6f 72 67 2f 57 65

Copyright Joe Security LLC 2019 Page 37 of 51 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\Downloads\FL2000-2.1.34054.0.exe.part unknown 8192 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1112 364563 WriteFile 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode....$...... J...J...J 00 00 00 00 00 00 00 .xJ...J .zJ...J . 00 00 00 00 00 00 00 {J...J...K...J...K 00 00 00 00 00 00 00 ...Jq..K...J...K...J...J...J.. 00 00 00 20 01 00 00 .J...J...J...J...J...J...K...J 0e 1f ba 0e 00 b4 09 ..vJ...J...K... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d0 ea e7 19 94 8b 89 4a 94 8b 89 4a 94 8b 89 4a 20 17 78 4a 9f 8b 89 4a 20 17 7a 4a 15 8b 89 4a 20 17 7b 4a 8c 8b 89 4a af d5 8a 4b 81 8b 89 4a af d5 8d 4b 80 8b 89 4a 71 d2 8c 4b 97 8b 89 4a af d5 8c 4b a7 8b 89 4a 9d f3 0a 4a 91 8b 89 4a 9d f3 1a 4a 97 8b 89 4a 9d f3 0d 4a 95 8b 89 4a 94 8b 88 4a 1a 8a 89 4a 06 d5 80 4b ca 8b 89 4a 06 d5 76 4a 95 8b 89 4a 06 d5 8b 4b 95 8b 89

File Read

Source File Path Offset Length Completion Count Address Symbol C:\Users\user\Desktop\FL2000-2.1.33676.0.exe unknown 1024 success or wait 9 362295 ReadFile C:\Users\user\Desktop\FL2000-2.1.33676.0.exe unknown 74 success or wait 1 36232E ReadFile C:\Users\user\Desktop\FL2000-2.1.33676.0.exe unknown 24 success or wait 8 34DDB7 ReadFile C:\Users\user\Desktop\FL2000-2.1.33676.0.exe unknown 16 success or wait 8 34DE09 ReadFile C:\Users\user\Desktop\FL2000-2.1.33676.0.exe unknown 1374 success or wait 1 358B8A ReadFile C:\Users\user\AppData\Local\Temp\updADCE.tmp unknown 4 success or wait 1 351A29 ReadFile C:\Users\user\AppData\Local\Temp\updADCE.tmp unknown 5 success or wait 1 3663D7 ReadFile

Analysis Process: FL2000-2.1.33676.0.exe PID: 948 Parent PID: 4092

General

Start time: 23:54:33 Start date: 01/10/2019 Path: C:\Users\user\Desktop\FL2000-2.1.33676.0.exe Wow64 process (32bit): true Commandline: 'C:\Users\user\Desktop\FL2000-2.1.33676.0.exe' /install Imagebase: 0x340000 File size: 8033240 bytes MD5 hash: 18D9DA8E28B2704AAA5BBA34CBDFC8F8 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

File Read Copyright Joe Security LLC 2019 Page 38 of 51 Source File Path Offset Length Completion Count Address Symbol C:\Users\user\Desktop\FL2000-2.1.33676.0.exe unknown 1024 success or wait 9 362295 ReadFile C:\Users\user\Desktop\FL2000-2.1.33676.0.exe unknown 74 success or wait 1 36232E ReadFile C:\Users\user\Desktop\FL2000-2.1.33676.0.exe unknown 24 success or wait 8 34DDB7 ReadFile C:\Users\user\Desktop\FL2000-2.1.33676.0.exe unknown 16 success or wait 8 34DE09 ReadFile C:\Users\user\Desktop\FL2000-2.1.33676.0.exe unknown 1374 success or wait 1 358B8A ReadFile

Analysis Process: FL2000-2.1.33676.0.exe PID: 4292 Parent PID: 4092

General

Start time: 23:54:35 Start date: 01/10/2019 Path: C:\Users\user\Desktop\FL2000-2.1.33676.0.exe Wow64 process (32bit): true Commandline: 'C:\Users\user\Desktop\FL2000-2.1.33676.0.exe' /load Imagebase: 0x340000 File size: 8033240 bytes MD5 hash: 18D9DA8E28B2704AAA5BBA34CBDFC8F8 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

File Read

Analysis Process: FL2000-2.1.34054.0.exe PID: 5036 Parent PID: 4196

General

Start time: 23:54:52 Start date: 01/10/2019 Path: C:\Users\user\Downloads\FL2000-2.1.34054.0.exe Wow64 process (32bit): true Commandline: 'C:\Users\user\Downloads\FL2000-2.1.34054.0.exe' /exenoupdates Imagebase: 0x3b0000 File size: 8058744 bytes MD5 hash: 18B0139CA76E7447BC64F9A812F4A9F2 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

File Activities

File Created

Copyright Joe Security LLC 2019 Page 39 of 51 Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\shiFE2F.tmp read attributes | normal synchronous io success or wait 1 3C01A4 GetTempFileNameW synchronize | non alert | non generic read directory file C:\Users read data or list normal directory file | object name collision 1 3BB8EE CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user read data or list normal directory file | object name collision 1 3BB8EE CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData read data or list normal directory file | object name collision 1 3BB8EE CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming read data or list normal directory file | object name collision 1 3BB8EE CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming\Fresco Logic read data or list normal directory file | success or wait 1 3BB8EE CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming\Fresco Logic\Fresco Logic USB Display read data or list normal directory file | success or wait 1 3BB8EE CreateDirectoryW Driver 2.1.34054.0 directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming\Fresco Logic\Fresco Logic USB Display read data or list normal directory file | success or wait 1 3BB8EE CreateDirectoryW Driver 2.1.34054.0\install directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming\Fresco Logic\Fresco Logic USB Display read attributes | normal synchronous io success or wait 1 3BED43 CreateFileW Driver 2.1.34054.0\install\holder0.aiph synchronize | non alert | non generic write directory file C:\Users read data or list normal directory file | object name collision 5 3BB8EE CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user read data or list normal directory file | object name collision 5 3BB8EE CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData read data or list normal directory file | object name collision 5 3BB8EE CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming read data or list normal directory file | object name collision 5 3BB8EE CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming\Fresco Logic read data or list normal directory file | object name collision 5 3BB8EE CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point

Copyright Joe Security LLC 2019 Page 40 of 51 Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Roaming\Fresco Logic\Fresco Logic USB Display read data or list normal directory file | object name collision 5 3BB8EE CreateDirectoryW Driver 2.1.34054.0 directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming\Fresco Logic\Fresco Logic USB Display read data or list normal directory file | object name collision 5 3BB8EE CreateDirectoryW Driver 2.1.34054.0\install directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming\Fresco Logic\Fresco Logic USB Display read attributes | normal synchronous io success or wait 1 3BD94E CreateFileW Driver 2.1.34054.0\install\FL2000.msi synchronize | non alert | non generic write directory file C:\Users\user\AppData\Roaming\Fresco Logic\Fresco Logic USB Display read attributes | normal synchronous io success or wait 1 3BD94E CreateFileW Driver 2.1.34054.0\install\FL2000.x64.msi synchronize | non alert | non generic write directory file C:\Users\user\AppData\Roaming\Fresco Logic\Fresco Logic USB Display read attributes | normal synchronous io success or wait 1 3BD94E CreateFileW Driver 2.1.34054.0\install\1028 synchronize | non alert | non generic write directory file C:\Users\user\AppData\Roaming\Fresco Logic\Fresco Logic USB Display read attributes | normal synchronous io success or wait 1 3BD94E CreateFileW Driver 2.1.34054.0\install\2052 synchronize | non alert | non generic write directory file C:\Users\user\AppData\Roaming\Fresco Logic\Fresco Logic USB Display read attributes | normal synchronous io success or wait 1 3BD94E CreateFileW Driver 2.1.34054.0\install\disk1.cab synchronize | non alert | non generic write directory file

File Deleted

Source File Path Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\shiFE2F.tmp success or wait 1 3C04B0 DeleteFileW C:\Users\user\AppData\Roaming\Fresco Logic\Fresco Logic USB Display Driver 2.1.34054.0\install\holder0.aiph success or wait 1 3BEDEB DeleteFileW C:\Users\user\AppData\Roaming\Fresco Logic\Fresco Logic USB Display Driver 2.1.34054.0\install\FL2000.msi success or wait 1 3BDC91 DeleteFileW C:\Users\user\AppData\Roaming\Fresco Logic\Fresco Logic USB Display Driver 2.1.34054.0\install\FL2000.x64.msi success or wait 1 3BDC91 DeleteFileW C:\Users\user\AppData\Roaming\Fresco Logic\Fresco Logic USB Display Driver 2.1.34054.0\install\1028 success or wait 1 3BDC91 DeleteFileW C:\Users\user\AppData\Roaming\Fresco Logic\Fresco Logic USB Display Driver 2.1.34054.0\install\2052 success or wait 1 3BDC91 DeleteFileW C:\Users\user\AppData\Roaming\Fresco Logic\Fresco Logic USB Display Driver 2.1.34054.0\install\disk1.cab success or wait 1 3BDC91 DeleteFileW

File Written

Source File Path Offset Length Value Ascii Completion Count Address Symbol

Copyright Joe Security LLC 2019 Page 41 of 51 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\shiFE2F.tmp 0 524288 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 8 3C01CE CopyFileW 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... hR...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 f8 00 00 00 ...... Rich...... 0e 1f ba 0e 00 b4 09 ...... PE..d.. cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ac bd 68 52 e8 dc 06 01 e8 dc 06 01 e8 dc 06 01 87 b8 03 00 e9 dc 06 01 87 b8 02 00 f8 dc 06 01 87 b8 05 00 eb dc 06 01 e8 dc 07 01 0c dd 06 01 87 b8 07 00 ff dc 06 01 87 b8 06 00 e9 dc 06 01 87 b8 08 00 a5 dc 06 01 87 b8 f9 01 e9 dc 06 01 87 b8 04 00 e9 dc 06 01 52 69 63 68 e8 dc 06 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 C:\Users\user\AppData\Roaming\Fresco Logic\Fresco Logic unknown 65536 d0 cf 11 e0 a1 b1 1a ...... >..... success or wait 19 3BDB1D WriteFile USB Display Driver 2.1.34054.0\install\FL2000.msi e1 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 3e 00 04 00 ...... fe ff 0c 00 06 00 00 00 ...... 00 00 00 00 03 00 00 ...... 00 01 00 00 00 01 00 ...... 00 00 00 00 00 00 00 ...... 10 00 00 1b 00 00 00 ...... 01 00 00 00 fe ff ff ff 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

Copyright Joe Security LLC 2019 Page 42 of 51 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Roaming\Fresco Logic\Fresco Logic unknown 65536 d0 cf 11 e0 a1 b1 1a ...... >..... success or wait 25 3BDB1D WriteFile USB Display Driver 2.1.34054.0\install\FL2000.x64.msi e1 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 3e 00 04 00 ...... fe ff 0c 00 06 00 00 00 ...... 00 00 00 00 03 00 00 ...... 00 01 00 00 00 01 00 ...... 00 00 00 00 00 00 00 ...... 10 00 00 1b 00 00 00 ...... 01 00 00 00 fe ff ff ff 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff C:\Users\user\AppData\Roaming\Fresco Logic\Fresco Logic unknown 57344 d0 cf 11 e0 a1 b1 1a ...... >..... success or wait 1 3BDB1D WriteFile USB Display Driver 2.1.34054.0\install\1028 e1 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 3e 00 04 00 ...... fe ff 0c 00 06 00 00 00 ...... 00 00 00 00 01 00 00 ...... 00 01 00 00 00 01 00 ...... 00 00 00 00 00 00 00 ...... 10 00 00 08 00 00 00 ...... 01 00 00 00 fe ff ff ff 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff C:\Users\user\AppData\Roaming\Fresco Logic\Fresco Logic unknown 57344 d0 cf 11 e0 a1 b1 1a ...... >..... success or wait 1 3BDB1D WriteFile USB Display Driver 2.1.34054.0\install\2052 e1 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 3e 00 04 00 ...... fe ff 0c 00 06 00 00 00 ...... 00 00 00 00 01 00 00 ...... 00 01 00 00 00 01 00 ...... 00 00 00 00 00 00 00 ...... 10 00 00 08 00 00 00 ...... 01 00 00 00 fe ff ff ff 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

Copyright Joe Security LLC 2019 Page 43 of 51 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Roaming\Fresco Logic\Fresco Logic unknown 65536 4d 53 43 46 00 00 00 MSCF...... E.....D...... success or wait 70 3BDB1D WriteFile USB Display Driver 2.1.34054.0\install\disk1.cab 00 7f c8 45 00 00 00 ...... E...... 00 00 44 00 00 00 00 ...... wK.l .FL2000 00 00 00 03 01 01 00 .inf_1.x...... wK.l .fl2000. 1b 00 04 00 d2 04 00 sys_2.p...;.....wK.l 00 14 00 00 00 00 00 .WdfCoIns 10 00 7f c8 45 00 08 taller01011.dll_2...... wK 19 00 00 00 00 00 00 .l .flvga_tray.exe_2.x$..+f".. 00 00 00 00 d1 03 00 .wK.l 00 c3 00 01 00 c3 0b .fl2000.sys_3.p.....%...wK.l 00 00 00 00 00 00 00 .WdfCoInst 00 77 4b 0f 6c 20 00 46 4c 32 30 30 30 2e 69 6e 66 5f 31 00 78 c8 02 00 c3 0b 00 00 00 00 77 4b 0f 6c 20 00 66 6c 32 30 30 30 2e 73 79 73 5f 32 00 70 fd 18 00 3b d4 02 00 00 00 77 4b 0f 6c 20 00 57 64 66 43 6f 49 6e 73 74 61 6c 6c 65 72 30 31 30 31 31 2e 64 6c 6c 5f 32 00 80 94 06 00 ab d1 1b 00 00 00 77 4b 0f 6c 20 00 66 6c 76 67 61 5f 74 72 61 79 2e 65 78 65 5f 32 00 78 24 03 00 2b 66 22 00 00 00 77 4b 0f 6c 20 00 66 6c 32 30 30 30 2e 73 79 73 5f 33 00 70 89 1b 00 a3 8a 25 00 00 00 77 4b 0f 6c 20 00 57 64 66 43 6f 49 6e 73 74

File Read

Source File Path Offset Length Completion Count Address Symbol C:\Users\user\Downloads\FL2000-2.1.34054.0.exe unknown 1024 success or wait 7 3D2295 ReadFile C:\Users\user\Downloads\FL2000-2.1.34054.0.exe unknown 74 success or wait 1 3D232E ReadFile C:\Users\user\Downloads\FL2000-2.1.34054.0.exe unknown 24 success or wait 8 3BDDB7 ReadFile C:\Users\user\Downloads\FL2000-2.1.34054.0.exe unknown 16 success or wait 8 3BDE09 ReadFile C:\Users\user\Downloads\FL2000-2.1.34054.0.exe unknown 1388 success or wait 1 3C8B8A ReadFile C:\Users\user\Downloads\FL2000-2.1.34054.0.exe unknown 65536 success or wait 116 3BDAE6 ReadFile \ToServerAdvinst_Estimate_C:\Users\user\Downloads\FL2000-2.1.34054.0.exe unknown 32656 success or wait 1 3CFB14 ReadFile \ToServerAdvinst_Estimate_C:\Users\user\Downloads\FL2000-2.1.34054.0.exe unknown 32656 success or wait 1 3CFB14 ReadFile \ToServerAdvinst_Estimate_C:\Users\user\Downloads\FL2000-2.1.34054.0.exe unknown 32656 success or wait 1 3CFB14 ReadFile \ToServerAdvinst_Extract_C:\Users\user\Downloads\FL2000-2.1.34054.0.exe unknown 32656 success or wait 1 3CFB14 ReadFile \ToServerAdvinst_Extract_C:\Users\user\Downloads\FL2000-2.1.34054.0.exe unknown 32656 success or wait 1 3CFB14 ReadFile \ToServerAdvinst_Extract_C:\Users\user\Downloads\FL2000-2.1.34054.0.exe unknown 32656 success or wait 1 3CFB14 ReadFile \ToServerAdvinst_Extract_C:\Users\user\Downloads\FL2000-2.1.34054.0.exe unknown 32656 success or wait 1 3CFB14 ReadFile \ToServerAdvinst_Extract_C:\Users\user\Downloads\FL2000-2.1.34054.0.exe unknown 32656 success or wait 1 3CFB14 ReadFile \ToServerAdvinst_Extract_C:\Users\user\Downloads\FL2000-2.1.34054.0.exe unknown 32656 success or wait 1 3CFB14 ReadFile \ToServerAdvinst_Extract_C:\Users\user\Downloads\FL2000-2.1.34054.0.exe unknown 32656 success or wait 1 3CFB14 ReadFile \ToServerAdvinst_Extract_C:\Users\user\Downloads\FL2000-2.1.34054.0.exe unknown 32656 success or wait 1 3CFB14 ReadFile \ToServerAdvinst_Extract_C:\Users\user\Downloads\FL2000-2.1.34054.0.exe unknown 32656 success or wait 70 3CFB14 ReadFile \ToServerAdvinst_Extract_C:\Users\user\Downloads\FL2000-2.1.34054.0.exe unknown 32656 success or wait 70 3CFB14 ReadFile \ToServerAdvinst_Extract_C:\Users\user\Downloads\FL2000-2.1.34054.0.exe unknown 32656 success or wait 70 3CFB14 ReadFile \ToServerAdvinst_Extract_C:\Users\user\Downloads\FL2000-2.1.34054.0.exe unknown 32656 success or wait 1 3CFB14 ReadFile \ToServerAdvinst_Extract_C:\Users\user\Downloads\FL2000-2.1.34054.0.exe unknown 32656 pipe broken 1 3CFB14 ReadFile

Registry Activities

Key Created

Source Key Path Completion Count Address Symbol HKEY_CURRENT_USER\Software\Caphyon success or wait 1 3BF543 RegCreateKeyW HKEY_CURRENT_USER\Software\Caphyon\Setups success or wait 1 3BF543 RegCreateKeyW

Source Key Path Name Type Data Completion Count Address Symbol HKEY_CURRENT_USER\Software\Cap Advinst_33F2BA97D9B6 unicode C:\Users\user\Downloads\FL2000- success or wait 1 3BF561 RegSetValueExW hyon\Setups 41EC8F11D6 2.1.34054.0.exe 656BF35545

Analysis Process: msiexec.exe PID: 4272 Parent PID: 5036

General

Start time: 23:54:54 Start date: 01/10/2019 Path: C:\Windows\System32\msiexec.exe Wow64 process (32bit): false Commandline: /i 'C:\Users\user\AppData\Roaming\Fresco Logic\Fresco Logic USB Display Driver 2.1.34054 .0\install\FL2000.x64.msi' AI_SETUPEXEPATH='C:\Users\user\Downloads\FL2000-2.1. 34054.0.exe' SETUPEXEDIR='C:\Users\user\Downloads\' EXE_CMD_LINE='/exenoupdates /exelang 0 /noprereqs ' Imagebase: 0x7ff6ee600000 File size: 66048 bytes MD5 hash: 4767B71A318E201188A0D0A420C8B608 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Source File Path Completion Count Address Symbol

Source File Path Offset Length Value Ascii Completion Count Address Symbol

Source File Path Offset Length Completion Count Address Symbol

Registry Activities

Source Key Path Name Type Old Data New Data Completion Count Address Symbol

Analysis Process: msiexec.exe PID: 1492 Parent PID: 4536

General

Start time: 23:54:56 Start date: 01/10/2019 Path: C:\Windows\SysWOW64\msiexec.exe Wow64 process (32bit): true Commandline: C:\Windows\syswow64\MsiExec.exe -Embedding 5B7212B2A0E72EFBDFF572D491F96252 C Imagebase: 0x290000 File size: 59904 bytes MD5 hash: 12C17B5A5C2A7B97342C362CA467E9A2 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

General

Start time: 23:55:11 Start date: 01/10/2019 Path: C:\Windows\SysWOW64\msiexec.exe Wow64 process (32bit): true Commandline: C:\Windows\syswow64\MsiExec.exe -Embedding B8142CC01163E4DA639627860F1CF8BB Imagebase: 0x290000 File size: 59904 bytes MD5 hash: 12C17B5A5C2A7B97342C362CA467E9A2 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: msiexec.exe PID: 4148 Parent PID: 4536

General

Start time: 23:55:12 Start date: 01/10/2019 Path: C:\Windows\System32\msiexec.exe Wow64 process (32bit): false Commandline: C:\Windows\System32\MsiExec.exe -Embedding 94BE93BE77F29D2C2C3BCA280B9A42CC Imagebase: 0x7ff6ee600000 File size: 66048 bytes MD5 hash: 4767B71A318E201188A0D0A420C8B608 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: msiexec.exe PID: 5108 Parent PID: 4536

General

Start time: 23:55:13 Start date: 01/10/2019 Path: C:\Windows\System32\msiexec.exe Wow64 process (32bit): false Commandline: C:\Windows\System32\MsiExec.exe -Embedding F8B4CEBEEC0818AC96CAA2C8B26978A1 E Global\MSI0000 Imagebase: 0x7ff6ee600000 File size: 66048 bytes MD5 hash: 4767B71A318E201188A0D0A420C8B608 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: drvinst.exe PID: 3532 Parent PID: 700

General

Start time: 23:55:14 Start date: 01/10/2019 Path: C:\Windows\System32\drvinst.exe Wow64 process (32bit): false

Copyright Joe Security LLC 2019 Page 46 of 51 Commandline: DrvInst.exe '4' '1' 'C:\Program Files\Fresco Logic\Fresco Logic USB Display Driver\FL2000\ FL2000.inf' '9' '40101c057' '0000000000000A54' 'WinSta0\Default' '0000000000000CF8' '208' 'C:\Program Files\Fresco Logic\Fresco Logic USB Display Driver\FL2000' Imagebase: 0x7ff7bc780000 File size: 166912 bytes MD5 hash: 46F5A16FA391AB6EA97C602B4D2E7819 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: drvinst.exe PID: 716 Parent PID: 700

General

Start time: 23:55:19 Start date: 01/10/2019 Path: C:\Windows\System32\drvinst.exe Wow64 process (32bit): false Commandline: DrvInst.exe '4' '1' 'C:\Program Files\Fresco Logic\Fresco Logic USB Display Driver\lci_pro xykmd\lci_proxykmd.inf' '9' '4d9ccbb2f' '0000000000000C28' 'WinSta0\Default' '000000000000 0CF4' '208' 'C:\Program Files\Fresco Logic\Fresco Logic USB Display Driver\lci_proxykmd' Imagebase: 0x7ff7bc780000 File size: 166912 bytes MD5 hash: 46F5A16FA391AB6EA97C602B4D2E7819 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: drvinst.exe PID: 4888 Parent PID: 700

General

Start time: 23:55:23 Start date: 01/10/2019 Path: C:\Windows\System32\drvinst.exe Wow64 process (32bit): false Commandline: DrvInst.exe '4' '1' 'C:\Program Files\Fresco Logic\Fresco Logic USB Display Driver\fresco_ iddcx\fresco_iddcx.inf' '9' '4d7097e0f' '0000000000000CF4' 'WinSta0\Default' '000000000000 0CCC' '208' 'C:\Program Files\Fresco Logic\Fresco Logic USB Display Driver\fresco_iddcx' Imagebase: 0x7ff7bc780000 File size: 166912 bytes MD5 hash: 46F5A16FA391AB6EA97C602B4D2E7819 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: cmd.exe PID: 2564 Parent PID: 4536

General

Start time: 23:55:26 Start date: 01/10/2019 Path: C:\Windows\System32\cmd.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\cmd.exe /c ''C:\Program Files\Fresco Logic\Fresco Logic USB Display Driver\post_install.cmd'' Imagebase: 0x7ff75fa30000 File size: 273920 bytes MD5 hash: 4E2ACF4F8A396486AB4268C94A6A245F Has administrator privileges: true

Analysis Process: conhost.exe PID: 4420 Parent PID: 2564

General

Start time: 23:55:26 Start date: 01/10/2019 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0x4 Imagebase: 0x7ff642e80000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: xcopy.exe PID: 2736 Parent PID: 2564

General

Start time: 23:55:26 Start date: 01/10/2019 Path: C:\Windows\System32\xcopy.exe Wow64 process (32bit): false Commandline: xcopy /y /q .\fl2000\x64\flvga_tray.exe C:\Windows\System32\ Imagebase: 0x7ff700ad0000 File size: 47616 bytes MD5 hash: 6BC7DB1465BEB7607CBCBD7F64007219 Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: cmd.exe PID: 5056 Parent PID: 2564

General

Start time: 23:55:27 Start date: 01/10/2019 Path: C:\Windows\System32\cmd.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\cmd.exe /c powershell [environment]::OsVersion.Version.Major Imagebase: 0x7ff75fa30000 File size: 273920 bytes MD5 hash: 4E2ACF4F8A396486AB4268C94A6A245F Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: powershell.exe PID: 4800 Parent PID: 5056

General

Start time: 23:55:27 Start date: 01/10/2019 Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Wow64 process (32bit): false Copyright Joe Security LLC 2019 Page 48 of 51 Commandline: powershell [environment]::OsVersion.Version.Major Imagebase: 0x7ff71c1f0000 File size: 447488 bytes MD5 hash: 95000560239032BC68B4C2FDFCDEF913 Has administrator privileges: true Programmed in: .Net C# or VB.NET

Analysis Process: cmd.exe PID: 2444 Parent PID: 2564

General

Start time: 23:55:33 Start date: 01/10/2019 Path: C:\Windows\System32\cmd.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\cmd.exe /c powershell [environment]::OsVersion.Version.Build Imagebase: 0x7ff75fa30000 File size: 273920 bytes MD5 hash: 4E2ACF4F8A396486AB4268C94A6A245F Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: powershell.exe PID: 4056 Parent PID: 2444

General

Start time: 23:55:33 Start date: 01/10/2019 Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Wow64 process (32bit): false Commandline: powershell [environment]::OsVersion.Version.Build Imagebase: 0x7ff71c1f0000 File size: 447488 bytes MD5 hash: 95000560239032BC68B4C2FDFCDEF913 Has administrator privileges: true Programmed in: .Net C# or VB.NET

Analysis Process: flvga_tray.exe PID: 4028 Parent PID: 3040

General

Start time: 23:55:39 Start date: 01/10/2019 Path: C:\Program Files\Fresco Logic\Fresco Logic USB Display Driver\FL2000\x86\flvga_tray.exe Wow64 process (32bit): true Commandline: 'C:\Program Files\Fresco Logic\Fresco Logic USB Display Driver\FL2000\x86\flvga_tray.exe' i Imagebase: 0x140000 File size: 431232 bytes MD5 hash: 4D9DE5366E2CB20A68BAEDA9C4A8D05E Has administrator privileges: false Programmed in: C, C++ or other language

Analysis Process: sc.exe PID: 4824 Parent PID: 2564

General

Copyright Joe Security LLC 2019 Page 49 of 51 Start time: 23:55:40 Start date: 01/10/2019 Path: C:\Windows\System32\sc.exe Wow64 process (32bit): false Commandline: sc delete flxhciv Imagebase: 0x7ff6d2080000 File size: 69120 bytes MD5 hash: D79784553A9410D15E04766AAAB77CD6 Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: sc.exe PID: 4844 Parent PID: 2564

General

Start time: 23:55:41 Start date: 01/10/2019 Path: C:\Windows\System32\sc.exe Wow64 process (32bit): false Commandline: sc query ddmgr Imagebase: 0x7ff6d2080000 File size: 69120 bytes MD5 hash: D79784553A9410D15E04766AAAB77CD6 Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: flvga_tray.exe PID: 4796 Parent PID: 2564

General

Start time: 23:55:41 Start date: 01/10/2019 Path: C:\Windows\System32\flvga_tray.exe Wow64 process (32bit): false Commandline: C:\Windows\System32\flvga_tray.exe i Imagebase: 0x930000 File size: 457336 bytes MD5 hash: 7B16174FF4C023F4A9DE26D7A6F678F8 Has administrator privileges: true Programmed in: C, C++ or other language Antivirus matches: Detection: 0%, Virustotal, Browse Detection: 0%, Metadefender, Browse

Analysis Process: flvga_tray.exe PID: 2472 Parent PID: 3040

General

Start time: 23:55:47 Start date: 01/10/2019 Path: C:\Program Files\Fresco Logic\Fresco Logic USB Display Driver\FL2000\x64\flvga_tray.exe Wow64 process (32bit): false Commandline: 'C:\Program Files\Fresco Logic\Fresco Logic USB Display Driver\FL2000\x64\flvga_tray.exe' i Imagebase: 0x7ff7db040000 File size: 457336 bytes MD5 hash: 7B16174FF4C023F4A9DE26D7A6F678F8 Has administrator privileges: false Programmed in: C, C++ or other language

Code Analysis